Decoy and deceptive data object technology

ABSTRACT

A computer implemented method of detecting unauthorized access to a protected network by monitoring a dynamically updated deception environment, comprising launching, on one or more decoy endpoints, one or more decoy operating system (OS) managing one or more of a plurality of deception applications mapping a plurality of applications executed in a protected network, updating dynamically a usage indication for a plurality of deception data objects deployed in the protected network to emulate usage of the plurality of deception data objects for accessing the deception application(s) wherein the plurality of deception data objects are configured to trigger an interaction with the deception application(s) when used, detecting usage of data contained in the deception data object(s) by monitoring the interaction and identifying one or more potential unauthorized operations based on analysis of the detection.

RELATED APPLICATIONS

This application is a Continuation-In-Part (CIP) of PCT/IB2016/054306having international filing date of Jul. 20, 2016, which claims thebenefit of priority under 35 USC 119(e) of U.S. Provisional PatentApplication No. 62/194,863 filed on Jul. 21, 2015, the contents of whichare incorporated herein by reference in their entirety.

FIELD AND BACKGROUND OF THE INVENTION

The present invention, in some embodiments thereof, relates to detectingpotential unauthorized operations in a protected network, and, morespecifically, but not exclusively, to detecting potential unauthorizedoperations in a protected network by monitoring interaction betweendynamically updated deception data objects deployed in the protectedsystem and deception applications hosted by a decoy endpoint.

Organizations of all sizes and types face the threat of being attackedby advanced attackers who may be characterized as having substantialresources of time and tools, and are therefore able to carry outcomplicated and technologically advanced operations against targets toachieve specific goals, for example, retrieve sensitive data, damageinfrastructure and/or the like.

Generally, advanced attackers operate in a staged manner, firstcollecting intelligence about the target organizations, networks,services and/or systems, initiate an initial penetration of the target,perform lateral movement and escalation within the target network and/orservices, take actions on detected objectives and leave the target whilecovering the tracks. Each of the staged approach steps involves tacticaliterations through what is known in the art as observe, orient, decide,act (OODA) loop. This tactic may present itself as most useful for theattackers who may face an unknown environment and therefore begin byobserving their surroundings, orienting themselves, then deciding on acourse of action and carrying it out.

SUMMARY OF THE INVENTION

According to an aspect of some embodiments of the present inventionthere is provided a computer implemented method of detectingunauthorized access to a protected network by monitoring a dynamicallyupdated deception environment, comprising:

-   -   Launching, on one or more decoy endpoints, one or more decoy        operating systems (OS) managing one or more of a plurality of        deception applications mapping a plurality of applications        executed in a protected network.    -   Updating dynamically a usage indication for a plurality of        deception data objects deployed in the protected network to        emulate usage of the plurality of deception data objects for        accessing the one or more deception application. The deception        data objects are configured to trigger an interaction with the        one or more deception applications when used.    -   Detecting usage of data contained in one or more of the        plurality of deception data objects by monitoring the        interaction.    -   Identifying one or more potential unauthorized operations based        on analysis of the detection.

The decoy endpoint is a member selected from a group consisting of: aphysical device comprising one or more processors and a virtual machine.

The virtual machine is hosted by a local endpoint, a cloud serviceand/or a vendor service.

Each of the plurality of deception data objects emulates a valid dataobject used for interacting with the one or more applications.

Each of the plurality of deception data objects is a hashed credentialsobject, a browser cocky, a registry key, a Server Message Block (SMB)mapped share, a Mounted Network Storage element, a configuration filefor remote desktop authentication credentials, a source code file withembedded database authentication credentials and/or a configuration fileto a source-code version control system.

The usage indication comprises impersonating that the plurality ofdeception data objects are used to interact with the one or moredeception applications.

The one or more potential unauthorized operation is initiated by a user,a process, an automated tool and/or a machine.

Each of the plurality of applications is an application, a tool, a localservice and/or a remote service.

Each of the plurality of applications is selected by one or more of: auser and an automated tool.

The monitoring comprises one or more of:

-   -   Monitoring network activity of one or more of the plurality of        deception applications.    -   Monitoring interaction of the one or more deception applications        with the one or more decoy operating systems.    -   Monitoring one or more log records created by the one or more        deception applications.    -   Monitoring interaction of one or more of the plurality of        deception applications with one or more of a plurality of        hardware components in the protected network.

Optionally, the one or more decoy operating system, the plurality ofdeception applications and/or the plurality of deception data objectsare divided to a plurality of groups according to one or morecharacteristic of the protected network.

Optionally, a plurality of templates is provided for creating the one ormore decoy operating system, the plurality of deception applicationand/or the plurality of deception data objects.

Optionally, each of the plurality of templates comprises a definition ofa relationship between at least two of the one or more decoy operatingsystem, the plurality of deception application and/or the plurality ofdeception data objects.

Optionally, one or more of the templates is adjusted by one or moreusers adapting the one or more templates according to one or morecharacteristic of the protected network.

Optionally, an alert is generated at detection of the one or morepotential unauthorized operations.

Optionally, the alert is generated at detection of a combination of aplurality of potential unauthorized operations to detect a complexsequence of the interaction.

Optionally, the analysis comprises preventing false positive analysis toavoid identifying one or more legitimate operations as the one or morepotential unauthorized operations.

Optionally, the one or more potential unauthorized operations areanalyzed to identify an activity pattern.

Optionally, a learning process is applied on the activity pattern toclassify the activity pattern in order to improve detection andclassification of one or more future potential unauthorized operations.

According to an aspect of some embodiments of the present inventionthere is provided a system for detecting unauthorized access to aprotected network by monitoring a dynamically updated deceptionenvironment, comprising a program store storing a code and one or moreprocessor on one or more decoy endpoint coupled to the program store forexecuting the stored code. The code comprising:

-   -   Code instructions to launch one or more decoy operating systems        (OS) managing one or more of a plurality of deception        applications mapping a plurality of applications executed in a        protected network.    -   Code instructions to update dynamically a usage indication for a        plurality of deception data objects deployed in the protected        network to emulate usage of the plurality of deception data        objects for accessing the one or more deception applications.        The plurality of deception data objects are configured to        trigger an interaction with the one or more deception        applications when used.    -   Code instructions to detect usage of data contained in one or        more of the plurality of deception data objects by monitoring        the interaction.    -   Code instructions to identify one or more potential unauthorized        operations based on an analysis of the detection.

According to an aspect of some embodiments of the present inventionthere is provided a computer implemented method of containing amalicious attack within a deception environment by directing themalicious attack to a dynamically created deception environment,comprising:

-   -   Detecting an attempt of a potential attacker to access a        protected network by identifying false access information used        by the potential attacker. Wherein the false access information        is associated with a certain user of the protected network.    -   Creating dynamically a deception environment associated with the        certain user within the protected network in response to the        attempt. Wherein the deception environment comprises one or more        members selected from a group consisting of: a false account, a        decoy endpoint and a decoy network comprising a plurality of        decoy endpoints.    -   In response to the attempt, granting access to the potential        attacker into the deception environment.    -   Monitoring an attack vector applied by the potential attacker        using the false access information in the deception environment.

The decoy endpoint is a member selected from a group consisting of: alocal endpoint comprising one or more processors and a virtual machine,wherein the virtual machine is hosted by one or more of: a localendpoint, a cloud service and a vendor service.

The potential attacker is a member selected from a group consisting of:a user, a process, an automated tool and a machine.

The deception environment is created based on public information of thecertain user.

The public information is available in one or more networked processingnodes accessible over one or more networks.

The false access information comprises credentials of the certain user.

Optionally, the attempt is not reported to the certain user.

The false access information was provided to the potential attackerduring a past attempt of the potential attacker to obtain a real versionof the false access information of the certain user.

The past attempt is a phishing attack to obtain the real version of thefalse access information of the certain user.

The past attempt is based on attracting the certain user to register toa fictive service created by the potential attacker to obtain the realversion of the false access information of the certain user.

Optionally, the past attempt is not reported to the certain user.

The attempt is detected by comparing a password included in the falseaccess information to one or more predicted passwords created based onan analysis of public information of the certain user.

Optionally, robustness of a real password created by the certain user isevaluated by comparing the real password to the one or more predictedpassword and alerting the certain user in case the real password isinsufficiently robust, wherein the robustness is determined sufficientin case a variation between the predicted password and the real passwordexceeds a pre-defined number of characters.

Optionally, the certain user is requested to change the real password incase the real password is insufficiently robust.

The attack vector comprises one or more action initiated by thepotential attacker.

The attack vector is a multi-stage attack vector comprising a pluralityof actions initiated by the potential attacker. At least two of theactions are executed in one or more modes selected from: a seriesexecution, a parallel execution.

The deception environment is dynamically updated based on analysis ofthe attack vector in order to deceive the potential attacker to presumethe deception environment is a real processing environment. The updateincludes updating one or more of: an information item of the certainuser, a structure of the deception environment and a deployment of thedeception environment.

Optionally, the deception environment is extended dynamically based onanalysis of the attack vector in order to contain the attack vector.

According to an aspect of some embodiments of the present inventionthere is provided a system for containing a malicious attack within adeception environment by directing the malicious attack to a dynamicallycreated deception environment, comprising a program store storing a codeand one or more processors on one or more decoy endpoints in a deceptionenvironment. The processor(s) is coupled to the program store forexecuting the stored code, the code comprising:

-   -   Code instructions to detect an attempt of a potential attacker        to access a protected network by identifying false access        information used by the potential attacker. Wherein the false        access information is associated with a certain user of the        protected network.    -   Code instructions to create dynamically a deception environment        associated with the certain user within the protected network in        response to the attempted access. Wherein the deception        environment comprises one or more member selected from a group        consisting of: a false account, a decoy endpoint and a decoy        network comprising a plurality of decoy endpoints.    -   Code instructions to grant access to the potential attacker into        the deception environment.    -   Code instructions to monitor an attack vector applied by the        potential attacker using the false access information in the        deception environment.

Unless otherwise defined, all technical and/or scientific terms usedherein have the same meaning as commonly understood by one of ordinaryskill in the art to which the invention pertains. Although methods andmaterials similar or equivalent to those described herein can be used inthe practice or testing of embodiments of the invention, exemplarymethods and/or materials are described below. In case of conflict, thepatent specification, including definitions, will control. In addition,the materials, methods, and examples are illustrative only and are notintended to be necessarily limiting.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS

Some embodiments of the invention are herein described, by way ofexample only, with reference to the accompanying drawings. With specificreference now to the drawings in detail, it is stressed that theparticulars shown are by way of example and for purposes of illustrativediscussion of embodiments of the invention. In this regard, thedescription taken with the drawings makes apparent to those skilled inthe art how embodiments of the invention may be practiced

In the drawings:

FIG. 1 is a flowchart of an exemplary process for creating andmaintaining a deception environment in order to detect potentialunauthorized operations in a protected network, according to someembodiments of the present invention;

FIG. 2A is a schematic illustration of an exemplary first embodiment ofa system for creating and maintaining a deception environment in orderto detect potential unauthorized operations in a protected network,according to some embodiments of the present invention;

FIG. 2B is a schematic illustration of an exemplary second embodiment ofa system for creating a deception environment for detecting potentialunauthorized operations in a protected network, according to someembodiments of the present invention;

FIG. 2C is a schematic illustration of an exemplary third embodiment ofa system for creating a deception environment for detecting potentialunauthorized operations in a protected network, according to someembodiments of the present invention;

FIG. 2D is a schematic illustration of an exemplary fourth embodiment ofa system for creating a deception environment for detecting potentialunauthorized operations in a protected network, according to someembodiments of the present invention;

FIG. 2E is a schematic illustration of an exemplary fifth embodiment ofa system for creating a deception environment for detecting potentialunauthorized operations in a protected network, according to someembodiments of the present invention;

FIG. 2F is a schematic illustration of an exemplary sixth embodiment ofa system for creating a deception environment for detecting potentialunauthorized operations in a protected network, according to someembodiments of the present invention;

FIG. 3A is a screenshot of an exemplary first configuration screen of acampaign manager for configuring a deception campaign, according to someembodiments of the present invention;

FIG. 3B is a screenshot of an exemplary second configuration screen of acampaign manager for configuring a deception campaign, according to someembodiments of the present invention;

FIG. 3C is a screenshot of an exemplary third configuration screen of acampaign manager for configuring a deception campaign, according to someembodiments of the present invention;

FIG. 4 is a block diagram of exemplary building blocks of a deceptionenvironment for detecting potential unauthorized operations in aprotected network, according to some embodiments of the presentinvention;

FIG. 5 is a block diagram of an exemplary utilization of deceptionenvironment building blocks for detecting potential unauthorizedoperations in a protected network, according to some embodiments of thepresent invention;

FIG. 6A is a screenshot of an exemplary first status screen of acampaign manager dashboard presenting structural information of adeception campaign, according to some embodiments of the presentinvention;

FIG. 6B is a screenshot of an exemplary second status screen of acampaign manager dashboard for investigation potential threats detectedduring a deception campaign, according to some embodiments of thepresent invention; and

FIG. 7 is a flowchart of an exemplary process for containing a maliciousattack within a deception environment created dynamically in a protectednetwork, according to some embodiments of the present invention.

DESCRIPTION OF SPECIFIC EMBODIMENTS OF THE INVENTION

The present invention, in some embodiments thereof, relates to detectingpotential unauthorized operations in a protected network, and, morespecifically, but not exclusively, to detecting potential unauthorizedoperations in a protected network by monitoring interaction betweendynamically updated deception data objects deployed in the protectedsystem and deception applications hosted by a decoy endpoint.

According to some embodiments of the present invention, there areprovided methods, systems and computer program products for creating anemulated deception environment to allow detection of potentialunauthorized operations in a protected network. The deceptionenvironment is created, maintained and monitored through one or moredeception campaigns each comprising a plurality of deception components.The deception environment co-exists with a real (valid) processingenvironment of the protected network while separated from the realprocessing environment. The deception environment is based on deployingdeception data objects (breadcrumbs), for example, credential files,password files, share lists, “cookies”, access protocols and/or the likein the real processing environment on one or more endpoints, forexample, work stations, servers, processing nodes and/or the like in theprotected network. The deception data objects interact with decoyoperating system(s) (OS) and/or deception applications created andlaunched on one or more decoy endpoints in the protected systemaccording to pre-defined relationship(s) applied in the deceptionenvironment. The decoy OS(s) and the deception application(s) may beadapted according to the characteristics of the real (valid) OS(s)and/or application used by the real processing environment of theprotected network. The deception data objects are deployed to attractpotential attacker(s) to use the deception data objects while observing,orienting, deciding and acting (OODA) within the protected network. Inorder for the deception environment to effectively mimic and/or emulatethe real processing environment, the created deception data objects areof the same type(s) as valid data objects used in the real processingenvironment. However when used, instead of interacting with the realOS(s) and/or application(s), the deception data objects interact withthe decoy OS(s) and/or the deception application(s). The interaction aswell as general activity in the deception environment is constantlymonitored and analyzed. Since the deception environment may betransparent to legitimate users, applications, processes and/or the likein the real processing environment, operation(s) in the protectednetwork that uses the deception data objects may indicate that theoperations(s) are potentially unauthorized operation(s) that may likelybe performed by the potential attacker(s).

The deception environment is updated dynamically and continuously tomake the deception data objects look like they are in use by the realprocessing environment in the protected network and therefore seem asvalid data objects to the potential attacker thus leading the potentialattacker to believe the emulated deception environment is a real one.

The provided methods, systems and computer program products furtherallow a user, for example, an IT person and/or a system administrator tocreate the deception environment using templates for the deceptioncomponents, specifically, the decoy OS(s), the deception application(s)and the deception data object(s). Automated tools are provided toautomatically create, adjust and/or adapt the deception environmentaccording to the characteristics of the real processing environmentand/or the protected network such that the deception environment mapsthe construction and/or operation of the real processing environment.

The emulated deception environment may present significant advantagescompared to currently existing methods for detecting potential attackersand/or preventing the potential attackers from accessing resources inthe protected network. First as opposed to some of the currentlyexisting methods that engage with the potential attacker at the actstage, the presented deception environment deceives the potentialattacker from the very first time the attacker enters the protectednetwork by creating a false environment—the emulated deceptionenvironment. Engaging the attacker at the act stage and trying to blockthe attack may lead the attacker to search for an alternative path inorder to circumvent the blocked path. Moreover, while the currentlyexisting methods are responsive in nature, i.e. respond to operations ofthe attacker, by creating the false environment in which the attackeradvances, the initiative is taken such that the attacker may be directedand/or led to trap(s) that may reveal him (them).

Some of the currently existing methods do try to deceive the attacker,however the measures used may be basic and/or simple, for example,obscurity, i.e. hiding the valuable data out of plain sight. Sinceadvanced attacker(s) may have the time and resources to explore thetarget network, the attacker(s) is (are) likely to find the valuabledata. More advanced currently existing methods employ a higher level ofdeception, mostly by using honeypots (computer security mechanisms setto detect, deflect and/or counteract unauthorized attempts to useinformation systems). The honeypots that are usually emulating servicesand/or systems are typically placed inside the target network(s) and/orat the edges. The honeypots are directed to attract the attacker to usethem and generate an alert when usage of the honeypots is detected. Thehoneypots approach may provide some benefits when dealing with automatedattack tools and/or unsophisticated attackers, however the honeypotspresent some drawbacks. First, the honeypots may be difficult to scaleto large organizations as each of the honeypot application(s) and/orservice(s) may need to be individually installed and managed. Inaddition, the advanced attacker may learn of the presence and/or natureof the honeypot since it may be static and/or inactive within the activetarget network. Moreover, even if the attack is eventually blocked, thehoneypots may not be able to gather useful forensic data about theattack and/or the attacker(s). Furthermore, due to the unsophisticatednature of the honeypot in which alerts may be generated on everyinteraction with the honeypot, multiple false positive alerts may begenerated when legitimate activity is conducted with the honeypot.

The presented deception environment may overcome the drawback of thecurrently existing deception methods by updating dynamically andconstantly the deception environment such that the deception dataobjects appear to be used in the protected network. This may serve tocreate an impression of a real active environment and may lead thepotential attacker(s) to believe the deception data objects are genuine(valid) data objects. As the potential attacker(s) may not detect thedeception environment, he (they) may interact with the deceptionenvironment during multiple iterations of the OODA loop thus revealinghis (their) activity pattern and possible intention(s). The activitypattern may be collected and analyzed to adapt the deception environmentaccordingly. Since the deception environment is transparent tolegitimate users in the protected network, any operations involving thedecoy OSs, the deception applications and/or the deception data objectsmay accurately indicate a potential attacker thus avoiding falsepositive alerts.

Moreover, the presented deception environment methods and systems mayallow for high scaling capabilities over large organizations, networksand/or systems. Using the templates for creating the decoy OS(s) and/orthe deception application(s) coupled with the automated tools to createand launch the decoy OS(s) and/or the deception application(s) as wellas automatically deploy the deception data objects may significantlyreduce the effort to construct the deception environment and improve theefficiency and/or integrity of the deception environment. Thecentralized management and monitoring of the deception environment mayfurther simplify tracking the potential unauthorized operations and/orpotential attacks.

Before explaining at least one embodiment of the invention in detail, itis to be understood that the invention is not necessarily limited in itsapplication to the details of construction and the arrangement of thecomponents and/or methods set forth in the following description and/orillustrated in the drawings and/or the Examples. The invention iscapable of other embodiments or of being practiced or carried out invarious ways.

According to some embodiments of the present invention, there areprovided methods, systems and software program products for containing amalicious attack within a deception environment created and/or updateddynamically in a protected network in response to detection of an accessattempt of a potential attacker for example, a human user, a process, anautomated tool, a machine and/or the like. The deception environment maybe created and/or updated in response, for example, to an attempt of apotential attacker to access the protected network using false accessinformation of a certain user of the protected network. The deceptionenvironment may be further updated in response to one or more operationsthe potential attacker may apply as part of an attack vector.

The potential attacker may be detected by identifying false accessinformation the potential attacker uses to access the protected network.The false access information may be identified by predicting accessinformation of the certain user based on public information of thecertain available online over one or more networks, for example, theInternet. Predicting the access information of the certain user maysimulate methods and/or techniques applied by the potential attacker topredict (“guess”) the access information of the certain user. The falseaccess information may be further identified as false access informationthat was provided to the potential attacker during one or more pastaccess attempts and/or attacks directed at the certain user. Oncedetecting use of the false access information, the access attempt isdetermined to be initiated by the potential attacker.

The potential attacker is granted access to a deception environmentcreated dynamically according to public information of the certain userto make the deception environment consistent with what the potentialattacker may know of the certain user thus leading the potentialattacker to assume the deception environment is in fact a real (valid)processing environment of the protected network and/or part thereof.

The deception environment may be dynamically updated in real timeaccording to one or more actions made by the potential attacker as partof his attack vector to make the deception environment appear as thereal (valid) processing environment and encourage detonation of theattack vector.

Encouraging the potential attacker to access the deception environmentand detonating the attack vector may present significant advantagescompared to currently existing methods for detecting and/or protectingthe protected network from potential attackers. While the existingmethods may detect the access attempt made (attack) by the potentialattacker, the existing methods may typically block the access attemptand/or inform an authorized person and/or system of the attemptedaccess. This may allow preventing the current attack, however since theresources required by the potential attacker for launching such anattack are significantly low, the potential attacker may initiatemultiple additional access attempts that may eventually succeed. Bygranting access to the potential attacker into the deception environmentthat the potential attacker is lead to believe is the real (valid)processing environment of the protected network, the attack vector ofthe potential attacker may be analyzed and/or learned in order toimprove protection from such access attempts and/or attacks. Moreover,by allowing the potential attacker to access explore and/or advance inthe deception environment, the potential attacker may spend extensiveresources, for example, time, tools and/or the like for the attack. Thismay discourage the potential attacker from initiating additional attacksand/or significantly reduce the number of attacks initiated by thepotential attacker.

By creating the deception environment according to the publicinformation of the certain user and/or continuously updating thedeception environment the potential attacker may be deceived to believethat the deception environment is actually the real (valid) processingenvironment. This may encourage the potential attacker to operate, forexample, apply the attack vector hence detonating the attack vector.Doing so allows monitoring, analyzing and/or learning the attack vectorand/or the intentions of the potential attacker while containing theattack within the deception environment thus protecting the real (valid)processing environment of the protected network from any maliciousaction(s) initiated by the potential attacker.

Before explaining at least one embodiment of the invention in detail, itis to be understood that the invention is not necessarily limited in itsapplication to the details of construction and the arrangement of thecomponents and/or methods set forth in the following description and/orillustrated in the drawings and/or the Examples. The invention iscapable of other embodiments or of being practiced or carried out invarious ways.

The present invention may be a system, a method, and/or a computerprogram product. The computer program product may include a computerreadable storage medium (or media) having computer readable programinstructions thereon for causing a processor to carry out aspects of thepresent invention.

The computer readable storage medium can be a tangible device that canretain and store instructions for use by an instruction executiondevice. The computer readable medium may be a computer readable signalmedium or a computer readable storage medium. Any combination of one ormore computer readable medium(s) may be utilized. A computer readablestorage medium may be, for example, but not limited to, an electronic,magnetic, optical, electromagnetic, infrared, or semiconductor system,apparatus, or device, or any suitable combination of the foregoing. Morespecific examples (a non-exhaustive list) of the computer readablestorage medium would include the following: an electrical connectionhaving one or more wires, a portable computer diskette, a hard disk, arandom access memory (RAM), a read-only memory (ROM), an erasableprogrammable read-only memory (EPROM or Flash memory), an optical fiber,a portable compact disc read-only memory (CD-ROM), an optical storagedevice, a magnetic storage device, or any suitable combination of theforegoing. In the context of this document, a computer readable storagemedium may be any tangible medium that can contain, or store a programfor use by or in connection with an instruction execution system,apparatus, or device.

Computer readable program instructions described herein can bedownloaded to respective computing/processing devices from a computerreadable storage medium or to an external computer or external storagedevice via a network, for example, the Internet, a local area network, awide area network and/or a wireless network.

The computer readable program instructions may execute entirely on theuser's computer, partly on the user's computer, as a stand-alonesoftware package, partly on the user's computer and partly on a remotecomputer or entirely on the remote computer or server. In the latterscenario, the remote computer may be connected to the user's computerthrough any type of network, including a local area network (LAN) or awide area network (WAN), or the connection may be made to an externalcomputer (for example, through the Internet using an Internet ServiceProvider). In some embodiments, electronic circuitry including, forexample, programmable logic circuitry, field-programmable gate arrays(FPGA), or programmable logic arrays (PLA) may execute the computerreadable program instructions by utilizing state information of thecomputer readable program instructions to personalize the electroniccircuitry, in order to perform aspects of the present invention.

Aspects of the present invention are described herein with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems), and computer program products according to embodiments of theinvention. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer readable program instructions.

The flowchart and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods, and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof instructions, which comprises one or more executable instructions forimplementing the specified logical function(s). In some alternativeimplementations, the functions noted in the block may occur out of theorder noted in the figures. For example, two blocks shown in successionmay, in fact, be executed substantially concurrently, or the blocks maysometimes be executed in the reverse order, depending upon thefunctionality involved. It will also be noted that each block of theblock diagrams and/or flowchart illustration, and combinations of blocksin the block diagrams and/or flowchart illustration, can be implementedby special purpose hardware-based systems that perform the specifiedfunctions or acts or carry out combinations of special purpose hardwareand computer instructions.

Reference is now made to FIG. 1, which is a flowchart of an exemplaryprocess for creating and maintaining a deception environment in order todetect potential unauthorized operations in a protected network,according to some embodiments of the present invention. A process 100 isexecuted to launch one or more deception campaigns comprising aplurality of deception components to create, launch, maintain andmonitor a deception environment that co-exists with a real processingenvironment of a protected network. The deception components compriseone or more decoy OS(s) and deception application(s) adapted accordingto the characteristics of the OS(s) and/or applications used in theprotected network. The decoy OS(s) and/or the deception application(s)are launched on one or more decoy endpoints that may be physicalendpoint and/or virtual endpoints. The deception components furthercomprise a plurality of deception data objects (breadcrumbs) interactingwith the decoy OS s and/or the deception applications. The deceptiondata objects are deployed within the real processing environment of theprotected network to attract potential attacker(s) to use the deceptiondata objects while performing the OODA loop within the protectednetwork. The deception data objects are of the same type(s) as validdata objects used to interact with the real OSs and/or applications inthe real processing environment such that the deception environmentefficiently emulates and/or impersonates as the real processingenvironment and/or a part thereof. When used, instead of interactingwith the real operating systems and/or application, the deception dataobjects interact with the decoy OS(s) and/or the deceptionapplication(s). The deception environment is transparent to legitimateusers, applications, processes and/or the like of the protectednetwork's real processing environment. Therefore, operation(s) in theprotected network that use the deception data object(s) may beconsidered as potential unauthorized operation(s) that in turn may beindicative of a potential attacker. The deception data objects areupdated constantly and dynamically to avoid stagnancy and mimic a realand dynamic environment with the deception data objects appearing asvalid data objects such that the potential attacker believes theemulated deception environment is a real one.

Reference is now made to FIG. 2A, FIG. 2B, FIG. 2C, FIG. 2D, FIG. 2E andFIG. 2F which are exemplary embodiments of a system for creating andmaintaining a deception environment in order to detect potentialunauthorized operations in a protected network, according to someembodiments of the present invention. One or more exemplary systems200A, 200B, 200C, 200D, 200E and 200F may be used to execute a processsuch as the process 100 to launch one or more deception campaigns fordetecting and/or alerting of potential unauthorized operations in aprotected network 235. The deception campaign(s) include creating,maintaining and monitoring the deception environment in the protectednetwork 235. While co-existing with the real processing environment ofthe protected network 235, the deception environment is separated fromthe real processing environment to maintain partitioning between thedeception environment and the real processing environment.

The systems 200A, 200B, 200C, 200D, 200E and 200F include the protectednetwork 235 that comprises a plurality of endpoints 220 connected to anetwork 230 facilitated through one or more network infrastructures, forexample, a local area network (LAN), a wide area network (WAN), apersonal area network (PAN), a metropolitan area network (MAN) and/orthe internet 240. The protected network 235 may be a local protectednetwork that may be a centralized single location network where all theendpoints 220 are on premises or a distributed network where theendpoints 220 may be located at multiple physical and/or geographicallocations. The protected network 235 may further be a virtual protectednetwork hosted by one or more cloud services 245, for example, AmazonWeb Service (AWS), Google Cloud, Microsoft Azure and/or the like. Theprotected network 235 may also be a combination of the local protectednetwork and the virtual protected network. The protected network 235 maybe, for example, an organization network, an institution network and/orthe like. The endpoint 220 may be a physical device, for example, acomputer, a workstation, a server, a processing node, a cluster ofprocessing nodes, a network node, a Smartphone, a tablet, a modem, ahub, a bridge, a switch, a router, a printer and/or any networkconnected device having one or more processors. The endpoint 220 mayfurther be a virtual device hosted by one or more of the physicaldevices, instantiated through one or more of the cloud services 245and/or provided as a service through one or more hosted servicesavailable by the cloud service(s) 245. Each of the endpoints 220 iscapable of executing one or more real applications 222, for example, anOS, an application, a service, a utility, a tool, a process, an agentand/or the like. The endpoint 220 may further be a virtual device, forexample, a virtual machine (VM) executed by the physical device. Thevirtual device may provide an abstracted and platform-dependent and/orindependent program execution environment. The virtual device mayimitate operation of the dedicated hardware components, operate in aphysical system environment and/or operate in a virtualized systemenvironment. The virtual devices may serve as a platform for executingone or more of the real applications 222 utilized as system VMs, processVMs, application VMs and/or other virtualized implementations.

The local protected networks 235 as implemented in the systems 200A and200B further includes a decoy server 201, for example, a computer, aworkstation, a server, a processing node, a cluster of processing nodes,a network node and/or the like serving as the decoy endpoint. The decoyserver 201 comprises a processor(s) 202, a program store 204, a userinterface 206 for interacting with one or more users 260, for example,an information technology (IT) person, a system administrator and/or thelike and a network interface 208 for communicating with the network 230.The processor(s) 202, homogenous or heterogeneous, may include one ormore processing nodes arranged for parallel processing, as clustersand/or as one or more multi core processor(s). The user interface 206may include one or more human-machine interfaces, for example, a textinterface, a pointing devices interface, a display, a touchscreen, anaudio interface and/or the like. The program store 204 may include oneor more non-transitory persistent storage devices, for example, a harddrive, a Flash array and/or the like. The program store 204 may furthercomprise one or more network storage devices, for example, a storageserver, a network accessible storage (NAS), a network drive, and/or thelike. The program store 204 may be used for storing one or more softwaremodules each comprising a plurality of program instructions that may beexecuted by the processor(s) 202 from the program store 204. Thesoftware modules may include, for example, a decoy OS 210 and/or adeception application 212 that may be created, configured and/orexecuted by the processor(s) 202 to emulate a processing environmentwithin the protected network 235. The decoy OS(s) 210 and/or thedeception application(s) 212 may be executed by the processor(s) 202 ina naive implementation as shown for the system 200A and/or over a nesteddecoy VM 203A hosted by the decoy server 201 as shown for the system200B and serving as the decoy endpoint. The software modules may furtherinclude a deception campaign manager 216 executed by the processor(s)202 to create, control and/or monitor one or more deception campaigns tocrate the deception environment to detect potential unauthorizedoperations in the protected network 235.

The user 260 may use the campaign manager 216 to create, adjust,configure and/or launch one or more of the decoy OSs 210 and/or thedeception application 212 on one or more of the decoy endpoints. Thedecoy endpoints are set to emulate the real endpoints 220 and as suchmay be physical and/or virtual endpoints. The user 260 may further usethe campaign manager 216 to create, deploy and/or update a plurality ofdeception data objects 214 (breadcrumbs) deployed on one or more of theendpoints 220 in the protected network 235. The deployed deception dataobjects 214 interact with respective one or more of the deceptionapplications 212. The deception data objects 214 are deployed to temptthe potential attacker(s) attempting to access resource(s) in theprotected network 235 to use the deception data objects 214. Thedeception data objects 214 are configured to emulate valid data objectsthat are available in the endpoints 220 for interacting withapplications 222.

The user 260 may interact with one or more of the software modules suchas the campaign manager 216, the decoy OS(s) 210 and/or the deceptionapplication(s) 212 using the user interface 206. The user interface mayinclude, for example, a graphic user interface (GUI) utilized throughone or more of the human-machine interface(s).

Optionally, the user 260 interacts with the campaign manager 216, thedecoy OS(s) 210 and/or the deception application(s) 212 remotely overthe network 230 by using one or more applications, for example, a localagent and/or a web browser executed on one or more of the endpoints 220and/or from a remote location over the internet 240.

Optionally, the user 260 executes the campaign manager 216 on one ormore of the endpoints 220 to create, control and/or interact with thedecoy OS 210 and/or the deception applications 212 over the network 230.

Optionally, for the local protected networks 235 as implemented in thesystem 200C, the decoy OS(s) 210 and/or the deception application(s) 212may be executed as one or more decoy VMs 203B serving as the decoyendpoint(s) over a virtualization infrastructure available by one ormore hosting endpoints 220A such as the endpoints 220 of the protectednetwork 235. The virtualization infrastructure may utilize, for example,Elastic Sky X (ESXi), XEN, Kernel-based Virtual Machine (KVM) and/or thelike. The user 260 may interact with the campaign manager 216, the decoyOS(s) 210 and/or the deception application(s) 212 through a userinterface such as the user interface 206 provided by the hostingendpoint(s) 220A. Additionally and/or alternatively, the user 260 mayuse one or more applications, for example a local agent and/or a webbrowser executed on one or more of the endpoints 220 to interactremotely over the network 230 with the campaign manager 216, the decoyOS(s) 210 and/or the deception application(s) 212 executed by thehosting endpoint(s) 220A. Optionally, one or more of the other endpoints220 executes the campaign manager 216 that interacts with the hostingendpoint(s) 220A OS 210 and/or the deception applications 212 over thenetwork 230.

Optionally, for the local protected networks 235 as implemented in thesystem 200D, the decoy OS(s) 210 and/or the deception application(s) 212may be executed through computing resources available from the one ormore cloud services 245 serving as the decoy endpoint(s). The decoyOS(s) 210 and/or the deception application(s) 212 may be utilized as oneor more decoy VMs 205 instantiated using the cloud service(s) 245 and/orthrough one or more hosted services 207, for example, software as aservice (SaaS), platform as a service (PaaS) and/or the like that may beprovided by the cloud service(s) 245. The campaign manager 216 may alsobe available through the cloud services 245. Optionally, the hostedservice(s) 207 is provided by the vendor of the campaign manager 216.

The user 260 may use one or more applications, for example, a the localagent and/or a the web browser executed on one or more of the endpoints220 to interact remotely over the network 230 and the internet 240 withthe campaign manager 216. Optionally, the user 260 executes the campaignmanager 216 on one or more of the endpoints 220 and interacts with thedecoy OS(s) 210 and/or the deception application(s) 212 over the network230 and the internet 240.

Optionally, as presented in the systems 200E and 200F, the protectednetwork 235 and/or a part thereof is a virtual protected network thatmay be hosted and/or provided through the cloud service(s) 245. As agrowing trend, many organizations may transfer and/or set theirinfrastructure comprising one or more of the applications 222, forexample, a webserver, a database, an internal mail server, an internalweb application and/or the like to the cloud, for example, through thecloud service(s) 245. In the system 200E, the protected network 235 maydistributed to two or more subnetworks such as the networks 235A and235B that are part of the same logical protected network 235 while theymay be physically distributed at a plurality of sites as a combinationof the local network and the virtual network. In the system 200F, theprotected network 235 is virtual, hosted and/or provided by the cloudservice 245, i.e. the protected network 235 comprises of only thesubnetwork 235B. The subnetwork 235A is a local network similar thenetwork 235 as described before for the systems 200A-200D and mayinclude one or more of the endpoints 220 either as the physical devicesand/or the virtual devices executing the application(s) 212. The network235B on the other hand is a virtual network hosted and/or providedthrough the cloud service(s) 245 as one or more, for example, privatenetworks, virtual private clouds (VPCs), private domains and/or thelike. Each of the private cloud(s), private network(s) and/or privatedomain(s) may include one or more virtual endpoints 220 that may be, forexample, instantiated through the cloud service(s) 245, provided as thehosted service 207 and/or the like, where each of the endpoints 220 mayexecute one or more of the applications 212. In such configuration(s),the decoy OS(s) 210 may be executed as independent instance(s) deployeddirectly to the cloud service(s) 245 using an account for the cloudservice 245, for example, AWS, for a VPC provided by the AWS for use forthe organizational infrastructure.

Typically, users of the virtual protected network 235 may remotelyaccess, communicate and/or interact with the applications 212 by usingone or more access applications 225, for example, the local agent, alocal service and/or the web browser executed on one or more of theendpoints 220 and/or one or more client terminals 221. The clientterminal 221 may include, for example, a computer, a workstation, aserver, a processing node, a network node, a Smartphone, a tablet.

For both systems 200E and/or 200F, the decoy OS(s) 210 and/or thedeception application(s) 212 may be executed through computing resourcesavailable from the cloud services 245 similarly to the system 200D thatserve as the decoy endpoint(s). In the same fashion, the campaignmanager 216 may be executed and accessed as described for the system200D. The deception data objects 214 may be adapted and/or adjusted inthe systems 200E and/or 200F according to the characteristics of theprotected networks 235A and/or 235B with respect to the executedapplications 222 and/or interaction with the user(s) of the applications222.

For brevity, the protected networks 235, 235A and 235B are referredherein after as the protected network 235 whether implemented as thelocal protected networks 235, as the virtual protected network, and/oras a combination of the two.

Reference is made once again to FIG. 1. The process 100 may be executedusing one or more software modules such as the campaign manager 216 tolaunch one or more deception campaigns. Each deception campaigncomprises creating, updating and monitoring the deception environment inthe protected network 235 in order to detect and/or alert of potentialattackers accessing the protected network 235. Each deception campaignmay be defined according a required deception scope and is constructedaccording to one or more characteristics of the protected network 235processing environment.

In order to launch effective and/or reliable deception campaigns, thedeception environment may be designed, created and deployed to followdesign patterns, which are general reusable solutions to common problemsand are in general use. The deception campaign may be launched toemulate one or more design patterns and/or best-practice solutions thatare widely used by a plurality of organizations. For example, a virtualprivate network (VPN) link may exist to connect to a resource of theprotected network 235, for example, a remote branch, a database backupserver and/or the like. The deception campaign may be created to includeone or more decoy OSs 210, deception applications 212 and respectivedeception data objects 214 to emulate the VPN link and/or one or more ofthe real resources of the protected network 235. Using this approach maygive a reliable impression of the deception environment to appear as thereal processing environment thus effectively attracting and/ormisleading the potential attacker who may typically be familiar with thedesign patterns.

Each deception campaign may define one or more groups to divide and/ordelimit the organizational units in order to create an efficientdeception environment that may allow better classification of thepotential attacker(s). The groups may be defined according to one ormore organizational characteristics, for example, business units of theorganization using the protected network 235, for example, humanresources (HR), sales, finance, development, IT, data center, retailbranch and/or the like. The groups may also be defined according to oneor more other characteristics of the protected network 235, for example,a subnet, a subdomain, an active directory, a type of application(s) 222used by the group of users, an access permission on the protectednetwork 235, a user type and/or the like.

As shown at 102, the process 100 for launching one or more deceptioncampaigns starts with the user 260 using the campaign manager 216 tocreate one or more images of the decoy OSs 210. The decoy OS 210 is afull stack operating system that contains baseline configurations andstates that are relevant to the protected network 235 in which the decoyOS(s) 210 is deployed. The image of the decoy OS(s) 210 is selectedaccording to one or more characteristics of the protected network 235,for example, a type of OS(s), for example, Windows, Linux, CentOS and/orthe like deployed on endpoints such as the endpoints 220, a number ofendpoints 220 and/or the like. The decoy OS(s) 210 may also be selectedaccording to the deception application(s) 212 that the user 260 intendsto use in the deception environment and are to be hosted by the decoyOS(s) 210.

Optionally, the campaign manager 216 provides one or more generictemplates for creating the image of the decoy OS(s) 210. The templatesmay support one or more of a plurality of OSs, for example, Windows,Linux, CentOS and/or the like. The template(s) may be adjusted toinclude one or more applications and/or services such as the application212 mapping respective applications 222 according to the configurationof the respective OS(s) in the real processing environment of theprotected network 235. The adjusted template(s) may be defined as abaseline idle state of the images of the decoy OS(s) 210. Theapplication(s) 212 included in the idle template may include, forexample, generic OS applications and/or services that are part of theout-of-the-box manifest of services, as per the OS, for example,“explorer.exe” for the Windows OS. The application(s) 212 included inthe idle state image may also include applications and/or services perthe policy applied to the protected network 235, for example, anorganization policy. The adjustment to the template may be done by theuser 260 through the campaign manager 216 GUI and/or using one or moreautomated tools that analyze the endpoints 220 of the protected network235 to identify application(s) 222 that are installed and used at theendpoints 220.

Optionally, the campaign manager 216 supports defining the template(s)to include orchestration, provisioning and/or update services for thedecoy OS(s) 210 to ensure that the instantiated templates of the decoyOS(s) 210 are up-to-date with the other OS(s) deployed in the protectednetwork 235.

As shown at 104, the user 260 using the campaign manager 216 creates oneor more of the deception applications 212 to be hosted by the decoyOS(s) 210. The deception applications 212 include a manifest ofapplications, services, tools, processes and/or the like selectedaccording to applications and services such as the applications 222characteristic to the protected network 235. The deception applications212 may be selected based on a desired scope of deception and/orcharacteristic(s) of the protected network 235. The deceptionapplication(s) 212 are selected to match deception data objects such asthe deception data objects 214 deployed in the endpoints 220 to allowinteraction between the deception data objects 214 and the respectivedeception application(s) 212. The selection of the deceptionapplications 212 may be done by the user 260 using the campaign manager216. Optionally, the campaign manager 216 may use one or more automatedtools to explore the protected network 235 and identify the applications222 executed on the endpoints 220. Based on the identified applications222, the campaign manager may select automatically the deceptionapplications(s) 212 to be included in the deception environment. Theapplication(s) 212 may include one or more applications and/or servicesmapping respective application(s) 222, for example, an off-the-shelfapplication, a custom application, a web based application and/orservice, a remote service and/or the like. Naturally, the applications212 are selected to operate with the decoy OS(s) 210 selected for thedeception campaign.

Optionally, the campaign manager 216 provides one or more generictemplates for one or more of a plurality of deception applications 212.The templates of the deception applications 212 may be adjusted to adaptto the protected network 235 to maintain similarity of the deceptionenvironment with the real processing environment of the protectednetwork such that the deception application(s) 212 appear to be validapplications such as the applications 222.

The campaign manager 216 may create, define and/or adjust theoff-the-shelf application(s) for the deception environment throughtools, packages and/or services customized to manipulate theoff-the-shelf application(s). The campaign manager 216 may also use anApplication Programming Interface (API) of a respective off-the-shelfapplication to create, define and/or adjust the template for creatingthe deception application 212 mapping the off-the-shelf application(s).The API may provide a record, for example, an XML file that describesthe expected inputs and/or outputs of the off-the-shelf applicationavailable as a containerized application, a service and/or anexecutable. The record may further describe expected interaction of theoff-the-shelf application with the OS in idle state(s), i.e. with nouser interaction. The campaign manager 216 may use the interactiondescription of the off-the-shelf application with the OS to adjust thetemplate of the respective deception application 212 to operate with thedecoy OS 210. Defining the idle state(s) may allow the campaign manager216 to detect user interaction once the deception campaign is launched.Containerization and declaration may be required for the customapplications to allow the campaign manager 216 to take advantage of thetemplate mechanism for use with the custom application(s).

The campaign manager 216 may use the API of the web based application(s)and/or service(s) and the remote service(s) similarly to what is donefor the off-the-shelf application(s) and/or service(s) to define theexpected inputs, outputs, web responses and/or back-end data structures.

The campaign manager 216 defines relationship(s) between each of thedeception applications 212 and the respective decoy OS(s) 210 to set theprocessing interaction between them during the deception campaign. Therelationship(s) may be based on pre-defined declarations provided by thetemplates according to the type of the respective deception application212 and the corresponding decoy OS 210. The relationship declarationsmay be further adjusted automatically by the campaign manager 216 and/orthe by the user 260 using the campaign manager 216 to adapt to one ormore operational, structural and/or organization characteristics of theprotected network. The operational, structural and/or organizationcharacteristics may include, for example, a network structure of theprotected network, a mapping method of the application(s) 222 used inthe protected network and/or the like.

For configurations of the virtual protected network 235 configurationsas described in the systems 200E and/or 200F, the deception environmentmay be further created and/or adapted to emulate one or moreapplications and/or services such as the applications 222 that areprovided by the cloud services 245. The applications 222 that areprovided by the cloud services 245 may not be directly associated withthe decoy OSs 210 but may rather be considered as decoy entities ontheir own.

For example, cloud services 245, such as, for example the AWS mayprovide an application 222 of type Simple Storage Service (S3) bucketservice. The S3 bucket service has become a basic building block of anycloud deployment to the AWS. The S3 bucket service is used extensivelyfor a plurality of storage purposes, for example, a dumb storage oflarge amounts of logs, an intermediate storage for software deployment,an actual storage mechanism used by web application(s) to store filesand/or the like. The S3 bucket service provided by the AWS establishes anew bucket storage concept by providing an API allowing extensivecapabilities and operability for the S3 bucket service, for example,monitoring of action(s) on the S3 bucket either read and/or writeoperations. This may serve to extend the deception environment to takeadvantage of the S3 bucket as a decoy, i.e. an S3 storage decoy. The S3storage decoy may be created and deployed as an active part of thedeception environment.

As shown at 106, the campaign manager 216 is used to launch the decoyOS(s) 210 and the deception application(s) 212. The decoy OS(s) 210 isinstantiated in one or more forms as presented for the systems 200A,200B, 200C, 200D, 200E and/or 200F. The instantiation of the decoy OS(s)210 may be defined by the configuration of the groups declared for thedeception campaign as well as by the configuration of the protectednetwork. The instantiation of the decoy OS(s) 210 over the dedicateddecoy server 201 and/or the virtualization infrastructure, for example,ESXi, XEN and/or KVM such as the decoy virtual machine(s) 203B and/or205 and/or the hosted service(s) 207 may be done manually by the user260 and/or automatically using the campaign manager 216.

As shown at 108, the campaign manager 216 is used to create thedeception data objects 214 and define the interaction with one or moreof the deception applications 212 by declaring the relationship(s) ofeach of the deception data objects 214. The deception data objects 214are created to emulate valid data objects used to interact with theapplication 222. The deception data objects 214 may include, forexample, one or more of the following:

-   -   Hashed credentials in Windows 7 user workstations.    -   Browser cookies to a web application or site.    -   Windows registry keys referencing remote application settings.    -   Server Message Block (SMB) mapped shares on a Windows machine.    -   Mounted Network Storage element(s) on a Linux workstation.    -   Configuration files referencing remote desktop authentication        credentials.    -   Source code files with embedded database authentication        credentials.    -   Configuration files to source-code version control system such        as, for example, Git.

The deception data objects 214 are directed, once deployed, to attractthe potential attackers during the OODA process in the protectednetwork. To create an efficiently deceptive campaign, the deception dataobjects 214 may be created with one or more attributes that may beattractive to the potential attacker, for example, a name, a type and/orthe like. The deception data objects 214 may be created to attract theattention of the attacker using an attacker stack, i.e. tools,utilities, services, application and/or the like that are typically usedby the attacker. As such, the deception data objects 214 may not bevisible to users using a user stack, i.e. tools, utilities, services,application and/or the like that are typically used by a legitimateuser. Taking this approach may allow creating the deception campaign ina manner that the user may need to go out of his way, perform unnaturaloperations and/or actions to detect, find and/or use the deception dataobjects 214 while it may be a most natural course of action or method ofoperation for the attacker. For example, browser cookies are rarelyaccessed and/or reviewed by the legitimate user(s). At most, the cookiesmay be cleared en-masse. However, one of the main methods for theattacker(s) to obtain website credentials and/or discover internalwebsites visited by the legitimate user(s) is to look for cookies andanalyze them. As another example, open shares that indicate shares withnetwork resources made by the legitimate user(s) using theapplication(s) 212 is typically not available for the user stack whileit is a common method for the attacker that may review them using, forexample, a “net use” command from a shell. Other examples include, forexample, web browsers history logs, files in temporary folders, shellcommand history logs, etc. that are typically not easily accessibleusing the user stack while they are easily available using the attackerstack.

Each of the deception data objects 214 is configured to interact withone or more of the decoy OSs 210 and/or the deception applications 212.The deception data objects 214 may be created and their relationshipsdefined according to the deception policy and/or methods defined for thedeception campaign. Naturally, the deception policy and/or methods thatdictate the selection and configuration of the deception application(s)212 also dictate the type and configuration of the deception dataobjects 214. The deception data objects 214 may further be createdaccording to the groups defined for the deception campaign. For example,the deceptive data object 214 of type “browser cookie” may be created tointeract with a website and/or an application launched using anapplication 212 of type “browser” created during the deception campaign.As another example, a deceptive data object 214 of type “mapped share”may be created to interact with an application 212 of type “shareservice” created during the deception campaign.

The deception data objects 214 may be created and/or adapted accordingto the configuration of the protected network 235 and/or theconstruction of the deception environment. As an example, it is assumedthat the deception campaign is launched to create the deception campaignfor the virtual protected network 235 as described in the systems 200Eand/or 200F. The deception environment may be created to place astronger focus on standard network setup, for example, remote accessusing Secure Shell (SSH), remote backup using SSH and/or Secure Copy(SCP), SSH using private keys (Privacy-enhanced Electronic Mail (PEM)files) and/or the like. Focusing on the standard network setup for theseconfiguration(s) is done as opposed to for, example, user/passwordcombinations deception data objects 214 created for the deceptionenvironment for the local implementation of the protected network 235 asdescribed in the systems 200A-200D.

For configurations of the virtual protected network 235 configurationsas described in the systems 200E and/or 200F, the deception data objects214 may be created and deployed to interact with one or more deceptionapplications 212 emulating one or more applications and/or services suchas the applications 222 that are provided by the cloud services 245. Forexample, the deception data objects 214 may be created and deployed tointeract with the S3 storage decoy. Due to regulation, it is commonpractice to encrypt the data that is stored through the S3 bucketservice in order to protect the stored data from breaches that may beinitiated by the cloud provider, for example, Amazon. The decryptionkey(s) may be stored at the same storage mechanism, for example, the AWSS3 bucket service however, in order to increase the security level, thedecryption key(s) are typically stored through a storage bucket serviceprovided by one or more other cloud providers, for example, the GoogleCloud Engine. The campaign manager 216 may be used to create an S3storage decoy that may store data that is set to attract the attacker.Deception data object(s) 214 of a type decryption key may be created tointeract with the S3 storage decoy. The decryption key deception dataobject(s) 214 may be deployed using the storage mechanism of the samecloud service(s) provider providing the S3 storage decoy and/or usingthe storage mechanism of the of one or more of the other cloudservice(s) providers. This deception extension that takes advantage ofthe S3 bucket service may seem highly realistic, valid and attractive tothe potential attacker seeking to obtain the encrypted data available atthe supposedly valid S3 storage decoy.

As shown at 110, the campaign manager 216 is used to deploy thedeception data objects 214 on one or more of the endpoints 220 in theprotected network 235 to attract the potential attackers who attempt toOODA the protected network 235.

The deployment of the deception data objects 214 may be done using thegroups' definition. For example, the deceptive data object 214 of thetype “browser cookie” may be deployed using a Group Policy Login Scriptthroughout a respective network segment comprising a subset of theendpoints 220. As another example, the deceptive data object 214 of thetype “mapped share” may be deployed using a Windows ManagementInstrumentation (WMI) script to a specific subset of endpoints 220 inthe domain of the protected network 235. The deception data objects 214may be deployed using automated tools, for example, provisioning and/ororchestration tools, for example, Group Policy, Puppet, Chef and/or thelike. The deployment of the deception data objects 214 may also be doneusing local agents executed on the endpoints 220. The local agents maybe pre-installed on the endpoints 220 and/or they may be volatile agentsthat install the deception data objects 214 and then delete themselves.The deception environment and/or the campaign manager 216 may providecustom scripts and/or commands that may be executed by the user 260 inthe protected network 235 to deploy the deception data objects 214.

As discussed before, the campaign manager 216 provides a GUI to allowthe user 260 to create, configure, launch and/or deploy one or more ofthe deception components. The GUI may be provided by the campaignmanager 216 locally when the user 260 interacts directly with the decoyserver 201 and/or the decoy VM 203A. However the campaign manager 216may perform as a server that provides the GUI to the user 260 throughone or more applications for accessing the campaign manager 216remotely, for example, the local agent and/or a the web browser executedon one or more of the endpoints 220.

Reference is now made to FIG. 3A, FIG. 3B and FIG. 3C, which arescreenshots of an exemplary configuration screen of a campaign managerfor configuring a deception campaign, according to some embodiments ofthe present invention. Screenshots 300A, 300B, 300C and 300D may bepresented to one or more users such as the user 260 through a GUI of acampaign manager such as the campaign manager 216. The GUI allows theuser 260 to create and/or launch a deception campaign by creating,configuring and launching one or more deception components such as thedecoy OS(s) 210, the deception application(s) 212 and/or the deceptiondata objects (breadcrumbs) 214. The campaign manager 216 may usepre-defined templates that may be adjusted according to the protectednetwork 235 characteristics in order to create the deception components.

The screen shot 300A presents an interface for creating one or moreimages of the decoy OS(s) 210. The user 260 may select a decoys tab 310Ato create one or more images of the decoy OS(s). Once the user 260selects the decoys tab 310A the campaign manager 216 presents aninterface for creating an image for the decoy OS 210 to allow the user260 to select an OS template, for example, Linux, Windows, CentOS and/orthe like for creating an image for the decoy OS 210. The user 260 mayfurther assign a name designating the decoy OS 210 image and/or a hostwhere the decoy OS 210 will be launched. As shown in the exemplaryscreenshot 300A, the user 260 selected a template of Linux Ubuntu tocreate an image for a decoy OS 210 designated “HR_Server” that is hostedby an endpoint 220 designated “hrsrv01”.

The screen shot 300B presents an interface for creating one or moredeception applications 212. The user 260 may select a services tab 310Bto create one or more deception applications 212. Once the user 260selects the services tab 310B the campaign manager 216 presents aninterface for creating one or more deception applications 212 to allowthe user 260 to select a template for creating the deceptionapplication(s) 212. The user 260 may further assign a name designatingthe created deception application 212 and/or define a relationship(interaction) between the created deception application 212 and one ormore of the decoy OSs 210. As shown in the exemplary screenshot 300B,the user 260 selected a template of an SMB service for a deceptionapplication 212 designated “Personnel_Files” that is included in aservices group designated “HR_Services” and connected to the decoy OS210 “HR_Server”. Through the interface, the user 260 mayactivate/deactivate the selected deception application 212. Theinterface may be further used to display the deception data objects thatare attached (interact) to the created deception application 212.

The screenshot 300C presents an interface for creating one or moredeception data objects (breadcrumbs) 214. The user 260 may select abreadcrumbs tab 310C to create one or more deception data objects 214.Once the user 260 selects the services tab 310C the campaign manager 216presents an interface for creating one or more deception data objects214 to allow the user 260 to select the a template representing a typeof a data object for creating the deception data object 214. The user260 may further assign a name designating the created deception dataobject 214 and/or define a relationship (interaction) between thecreated deception data object 214 and one or more of the deceptionapplications 212. As shown in the exemplary screenshot 300C, the user260 selected a template of a Network share for a deception data object214 designated “Personnel_Files_BC” that is included in a breadcrumbsgroup designated “HR_bc_group” and connected to the SMB deceptionapplication 212 “Personnel_Files” that is part of the services group“HR_Services”.

The screen shot 300D presents an interface for generating a script fordeploying the created deception data object(s) 214. While thebreadcrumbs tab 310C is presented, the user 260 may select the generatebutton presented by the interface. The campaign manager 216 may thengenerate a script that when executed by one or more of the endpoints 220will create the created deception data object 214 on the respectiveendpoint(s) 220. The campaign manager 216 may create a script that onceexecuted by the endpoint 220 deletes itself leaving no traces on theendpoint 220.

Once the deception data objects 214 are deployed, the deceptionenvironment is operational and the relationships between the deceptiondata objects 214, the deception application(s) 212 and the decoy OS(s)210 are applicable.

Reference is now made to FIG. 4, which is a block diagram of exemplarybuilding blocks of a deception environment for detecting potentialunauthorized operations in a protected network, according to someembodiments of the present invention. A deception environment 400created using a campaign manager such as the campaign manager 216comprises a plurality of deception data objects 214 deployed on one ormore endpoints such as the endpoints 220 in a protected network such asthe protected network 235. The campaign manager 216 is used to definerelationships 410 between each of the deception data items 214 and oneor more of a plurality of deception applications 212. The campaignmanager 216 is also used to define relationships 412 between each of thedeception applications 212 and one or more of a plurality of decoy OSs210. The deception data objects 214, the deception applications 212and/or the decoy OSs 210 may be arranged in one or more groups 402, 404and/or 406 respectively according to one or more of the characteristicsof the protected network 235. Once deployed, operations that use dataavailable in the deception data objects 214 interact with the deceptionapplication(s) 212 according to the defined relationships 410 that inturn interact with the decoy OS(s) 210 according to the definedrelationships 412. The defined relationships 410 and/or 412 may laterallow detection of one or more unauthorized operations by monitoring andanalyzing the interaction between the deception data objects, thedeception applications 212 and/or the decoy OSs 210.

Reference is now made to FIG. 5, which is a block diagram of anexemplary utilization of deception environment building blocks fordetecting potential unauthorized operations in a protected network,according to some embodiments of the present invention. Using a campaignmanager such as the campaign manager 216, an exemplary deceptionenvironment 500 is created and launched to protect a bank. The networkof the bank such as the network 230 is typically divided to two segments(groups), the internal office network comprising a plurality ofworkstations used by employees and a network for Automatic TellerMachines (ATMs) that are available to customers. Both the workstationsand the ATMs are exemplary endpoints such as the endpoint 220 and/or theclient terminal 221. A potential attacker may start his lateral movementin the network 230 of the bank from either one of the two networksegments. To protect the network 230 of the bank, the deceptionenvironment 500 is created to comprise two groups A and B each directedat one of two main deception “stories”, a first story for the ATMmachines network and a second story for the internal network comprisingthe workstations.

For the internal network, a plurality of deception data objects(breadcrumbs) such as the deception data objects 214 that are grouped ina group 402A are deployed on each of the workstations. The deceptiondata objects 214 deployed on the workstations may include, for example,an open share deception data object 214A for sharing and/or accessingvarious company documents, a browser cookie deception data object 214Bfor an internal company website and a hashed-credentials deception dataobject 214C used to access an internal company website and/or log into afaked domain. Similarly, for the ATM network, a plurality of deceptiondata objects (breadcrumbs) such as the deception data objects 214 thatare grouped in a group 402B are deployed on each of the ATMs. Thedeception data objects 214 deployed on the ATMs may include, forexample, the hashed-credentials deception data object 214C and aconfiguration file deception data object 214D for a faked ATM service.

In order to support the breadcrumbs of the two groups 402A and 402B,relevant deception applications such as the deception applications 212are created and launched. The deception applications 212 may be dividedto two groups 404A and 404B to interact with the deception data objects214 of the internal network and the ATM network respectively. The group404A may include, for example:

-   -   An SMB share deception application 212A to interact with the        open share deception data object 214A. Interaction and/or        relationship 410A may be defined for the interaction between the        deception data object 214A and the deception application 212A.    -   A Location Information Server (LIS) deception application 212B        to interact with the browser cookie deception data object 214B        and/or the hashed-credentials deception data object 214C.        Interaction and/or relationship 410B and/or 410C may be defined        for the interaction of the deception data object 214B and the        deception data object 214C respectively with the deception        application 212B.    -   A domain controller deception application 212C providing the        fake domain and interacting with the hashed-credentials        deception data object 214C and/or the configuration file        deception data object 214D. Interaction and/or relationship        410D, 410E and/or 410G may be defined for the interaction of the        deception data object 214C of the group 402A, the deception data        object 214C of the group 402B and the deception data object 214D        respectively with the deception application 212C.

The group 404B may include, for example an ATM service deceptionapplication 212D utilizing the faked ATM service and interacting withthe deception data object 214C of the group 402B and the configurationfile deception data object 214D. Interaction and/or relationship 410Fand/or 410H may be defined for the interaction of the deception dataobject 214C and the deception data object 214D respectively with thedeception application 212D.

The deception applications 212A through 212D are hosted by decoy OSssuch as the decoy OS 210. In the exemplary deception environment 500,the SMB share deception application 212A and the LIS server deceptionapplication 212B are hosted by a Windows Server 2003 decoy OS 210A whilethe domain controller deception application 212C is hosted by a WindowsServer 2008R2 decoy OS 210B. To maintain the groups partitioning, theWindows Server 2003 decoy OS 210A and the Windows Server 2008R2 decoy OS210B are grouped together in a group 406A. The ATM service deceptionapplication 212D is hosted by a Windows XP SP2 decoy OS 210C that isassociated with a group 406B. Interaction and/or relationship 412Aand/or 412B may be defined for the interaction of the deceptionapplication 212A and the deception application 212B respectively withthe decoy OS 210A. Interaction and/or relationship 412C may be definedfor the interaction of the deception application 212C with the decoy OS210B. Interaction and/or relationship 412C may be defined for theinteraction of the deception application 214C with the decoy OS 210B.Interaction and/or relationship 412D may be defined for the interactionof the deception application 212D with the decoy OS 210C.

Reference is made once again to FIG. 1. As shown at 112, the campaignmanager 216 updates dynamically and continuously the deceptionenvironment and/or the deception data objects 214 deployed on theendpoints 220. The deception environment is constantly updated to makethe deception data objects 214 seem as valid data objects to thepotential attacker. As part of updating the deception environment, thecampaign manager 216 update usage indication(s), for example,footprints, traces, access residues, log records and/or the like in therespective deception applications 212 indicating usage of the deceptiondata objects 214. The campaign manager 216 update usage indication(s) tocreate an impression (impersonate) that the deception data objects 214are valid and/or real data objects used by users, applications, servicesand/or the like in the protected network 235.

The campaign manager 216 may use one or more automated tools, forexample, scripts to update the deception environment and/or thedeception data objects 214. The campaign manager 216 may be configuredto continuously update the deception environment and/or the deceptiondata objects 214 for a pre-defined time period, for example, a day, aweek, a month, a year and/or for an unlimited period of time. Thecampaign manager 216 may apply a schedule for updating the deceptionenvironment. The campaign manager 216 may therefore detect a returningpotential attacker that attempted to access the protected network 235 inthe past. Optionally, the campaign manager 216 updates the deceptionenvironment according to a behavioral pattern of the potential attackersuch that the deception data objects are adapted to trap the potentialattacker. The campaign manager 216 may further adapt the deceptionenvironment and/or the deception data objects 214 according to one ormore characteristics of the returning potential attacker.

As shown at 114, the campaign manager 216 continuously monitors theprotected network 235 in order to detect the potential attacker. Thepotential attacker may be detected by identifying one or moreunauthorized operations that are initiated in the protected network 235.The unauthorized operation(s) may be initiated by a user, a process, autility, an automated tool, an endpoint and/or the like. Theunauthorized operation(s) may originate within the protected network 235and/or from a remote location accessing the protected network 235 overthe network 230 and/or the internet 240. In order to identify theunauthorized operation(s), the campaign manager 216 monitors the decoyOS(s) 210 and/or the deception applications 212 at one or more levelsand/or layers, for example:

-   -   Network monitoring in which the campaign manager 216 monitors        egress and/or ingress traffic at one or more of the endpoints        220. The campaign manager 216 may further record the monitored        network traffic.    -   Log monitoring in which the campaign manager 216 monitors log        records created by one or more of the deception application(s)        212.    -   OS monitoring in which the campaign manager 216 monitors        interaction made by one or more of the deception applications        212 with the decoy OS(s) 210.    -   Kernel level monitoring in which the campaign manager 216        monitors and analyzes activity at the kernel level of the decoy        OS(s) 210.

As shown at 116, the campaign manager 216 analyzes the monitored dataand/or activity to detect the unauthorized operation that may indicateof the potential attacker. Based on the analysis, the campaign manager216 creates one or more of a plurality of detection events, for example,a touch event, an interaction event, a code execution event, an OSinteraction event and/or a hardware interaction event. The analysisconducted by the campaign manager 216 may include false positiveanalysis to avoid identification of one or more operations initiated byone or more legitimate users, processes, applications and/or the like asthe potential unauthorized operation.

The touch event(s) may be created when the campaign manager 216 detectsnetwork traffic on one or more ports.

The interaction events may be created the campaign manager 216 detects ameaningful interaction with one or more of the deception applications212. The campaign manager 216 may create the interaction event whendetecting usage of data that is included, provided and/or available fromone or more of the deception data objects 214 for accessing and/orinteracting with one or more of the deception applications 212. Forexample, the campaign manager 216 may create an interaction event whendetecting an attempt to logon to a deception application 212 of type“remote desktop service” using credentials stored in a deception dataobject 214 of type “hashed credentials”. Another example may be thecampaign manager 216 may detect a file access on an SMB share deceptionapplication 212 where the file name is available from a deception dataobject 214 of type “SMB mapped shares”. Additionally, the campaignmanager 216 may create an interaction event when detecting interactionwith the deception application(s) 212 using data that is available fromvalid data objects, i.e. not one of the deception data objects 214. Forexample, the campaign manager 216 may detect an HTTP request from an LISdeception application 212. Optionally, the campaign manager 216 may beconfigured to create interaction events when detecting one or morepre-defined interaction types, for example, logging on a specificdeception application 212, executing a specific command, clicking aspecific button(s) and/or the like. The user 260 may further define“scripts” that comprise a plurality of the pre-defined interaction typesto configure the campaign manager 216 to create an interaction event atdetection of complex interactions between one or more of the deceptioncomponents, i.e. the decoy OS(s) 210, the deception application(s) 212and/or the deception data object(s) 214.

The code execution events may be created when the campaign manager 216detects that foreign code is executed on the underlying OS of one ormore of the decoy OSs 210.

The OS interaction event may be created when the campaign manager 216detects that one or more applications such as the applications 222attempt to interact with one or more of the decoy OSs 210, for example,opening a port, changing a log and/or the like.

The hardware interaction event may be created when the campaign manager216 detects that one or more of the decoy OSs 210 and/or the deceptionapplications 212 attempts to access one or more hardware components ofthe hardware platform on which the decoy OSs 210 and/or the deceptionapplications 212 are executed.

Using the campaign manager 216 the user 260 may define complex sequencecomprising a plurality of events to identify more complex operationsand/or interaction detected with the deception components. Defining thecomplex sequences may further serve to avoid the false positiveidentification.

Optionally, the campaign manager 216 creates an activity pattern of thepotential attacker by analyzing the identified unauthorizedoperation(s). Using the activity pattern, the campaign manager 216 maygather useful forensic data on the operations of the potential attackerand may classify the potential attacker in order to estimate a course ofaction and/or intentions of the potential attacker. The campaign manager216 may than adapt the deception environment to tackle the estimatedcourse of action and/or intentions of the potential attacker.

Optionally, the campaign manager 216 employs one or more machinelearning processes, methods, algorithms and/or techniques on theidentified activity pattern. The machine learning may serve to increasethe accuracy of classifying the potential attacker based on the activitypattern. The machine learning may further be used by campaign manager216 to adjust future deception environments and deception components toadapt to the learned activity pattern(s) of a plurality of potentialattacker(s).

As shown at 118, the campaign manager 216 generates one or more alertsfollowing the detection event indicting the potential unauthorizedoperation. The user 260 may configure the campaign manager 216 to set analert policy defining one or more of the events and/or combination ofevents that trigger the alert(s). The campaign manager 216 may beconfigured during the creation of the detection campaign and/or at anytime after the deception campaign is launched. The alert may bedelivered to the user 260 monitoring the campaign manager 216 and/orthrough any other method, for example, an email message, a text message,an alert in a mobile application and/or the like.

The campaign manager 216 and/or the deception environment may be furtherconfigured to take one or more additional actions following the alert.One action may be pushing a log of potential unauthorized operation(s)using one or more external applications and/or services, for example,syslog, email and/or the like. The log may be pushed with varying levelsof urgency according to the policy defined for the deception campaign.The external system(s) in turn may take additional actions such as, forexample, mitigating the potential threat by blocking executablesdetected as malware, block network access to compromised endpoints 220and/or the like. Another action may be taking a snapshot of the affecteddecoy OSs 210 and/or deception applications 212 and turn them off inorder to limit the potential attacker's ability to use the decoy OSs 210and/or the deception applications 212 as a staging point for furtheraction(s). The snapshot may serve for later forensic analysis to analyzethe data captured before and during the attack until the turn off time.Yet another action may be to trigger call back function(s) to one ormore clients using an API supported by the deception environment.Details of the attack may be relayed to the client(s) that may beconfigured with user-defined procedure(s) and/or direction(s) to takefurther action. For example, the client(s) may use the API of thedeception environment to create, launch and/or deploy one or moreadditional deception elements, for example, the decoy OS 210, thedeception application 212 and/or the deception data object 214.

Optionally, the campaign manager 216 presents the user(s) 260 with realtime and/or previously captured status information relating to thedeception campaign(s), for example, created events, detected potentialattackers, attack patterns and/or the like. The campaign manager 216 mayprovide, for example, a dashboard GUI provided through the userinterface 206. The campaign manager 216 may also presents the statusinformation and/or through a remote access application, for example, aweb browser and/or a local agent executed on one of the endpoints 220and/or at a remote location accessing the campaign manager 216 remotelyover the network 230 and/or the internet 240.

Reference is now made to FIG. 6A, which is a screenshot of an exemplaryfirst status screen of a campaign manager dashboard presentingstructural information of a deception campaign, according to someembodiments of the present invention. A screenshot 600A describing adeception campaign may be presented to one or more users such as theuser 260 through a GUI of a campaign manager such as the campaignmanager 216. The user 260 may select a campaign tab 610A to show anoverall view of the deception campaign launched in the protected network235. Once the user 260 selects the campaign tab 610A the campaignmanager 216 presents status information on the deception campaign. Thecampaign manager 216 may present a structural diagram of the deceptioncampaign including, for example, the deception components used duringthe deception campaign and/or the relationships (interactions) definedfor each of the deception components. Furthermore, through the providedinterface, the user 260 may define the type of events that may triggeralerts.

Reference is also made to FIG. 6B, which is a screenshot of an exemplarysecond status screen of a campaign manager dashboard for investigationpotential threats detected during a deception campaign, according tosome embodiments of the present invention. The user 260 may select aninvestigation tab 610B to show potential threats, for example,unauthorized operation(s), suspected interactions and/or the like thatmay indicate of a potential attackers operating within the protectednetwork 235. Once the user 260 selects the investigation tab 610B thecampaign manager 216 presents status information on potential threats.Each entry may present one or more potential; threats and the user 260may select any one of the entries to investigate further the nature ofthe potential threat.

According to some embodiments of the present invention, there areprovided methods, systems and software program products for containing amalicious attack by directing the malicious attack to a deceptionenvironment created and/or updated dynamically in a protected network inresponse to detection of the potential attacker. The deceptionenvironment may be created and/or updated in response, for example, toan attempt of a potential attacker to access the protected network usingfalse access information of a certain user of the protected network. Thedeception environment may be further updated in response to one or moreoperations the potential attacker may apply as part of an attack vector.As described before, the potential attacker initiating the accessattempt and/or the attack vector may be, for example, a human user, aprocess, an automated tool, a machine and/or the like.

The potential attacker may predict (“guess”) the access information ofthe certain user, for example, a credential, a password, a password hintquestion and/or the like based on public information of the certainuser, for example, an email address, a phone number, a work place, ahome address, a parent name, a spouse name, a child name, a birth dateand/or the like. The potential attacker may obtain the publicinformation of the certain user from one or more publicly accessiblenetworked resources, for example, an online news website, a workplacewebsite, an online government service, an online social network (e.g.Facebook, Google+, LinkedIn, etc.) and/or the like.

In some scenarios, the potential attacker may assume a more active role.For example, the potential attacker may set up a fictive service andattract the certain user to open an account on the fictive service.Based on the access information the certain user used for creating theaccount on the fictive service, the potential attacker may predict theaccess information the certain user may use for accessing one or morevalid (genuine) services. In another example, the potential attacker mayapply one or more social engineering techniques to get the certain userto reveal his password, for example, phishing and/or the like. Duringthe phishing attack, the certain user is lead to believe he is accessingone or more of the valid (genuine) services and may provide his realaccess information.

In order to protect the certain user (or in practice, a plurality ofusers such as the certain user), the potential attacker may be lead tobelieve he has entered a real processing environment of the protectednetwork while in fact he is granted access into the deceptionenvironment. This may be done by identifying false access informationused by the potential attacker while attempting to access the protectednetwork. The access information of the certain user may be identified bypredicting the false access information using the public information ofthe certain user to simulate the prediction process done by thepotential attacker. Additionally and/or alternatively, the false accessinformation may identified as false access information provided to thepotential attacker by intentionally (knowingly) following the path thepotential attacker lays to lead the certain user to reveal his accessinformation at the fictive website and/or fictive service and providethe false access information.

Moreover, advanced attackers, either human users and/or automated tools,for example, a malware and/or the like may apply caution when operatingin the protected network in order to avoid detection.

In order to detonate the attack, i.e. cause the potential attacker tooperate, for example, apply the attack vector, the potential attackerhas to be convinced that the deception environment (also known as a“sandbox”) he unknowingly entered is a real (valid) processingenvironment. This may be done by dynamically updating the deceptionenvironment in real time in response to the access attempt and/or inresponse to one or more operations of the attack vector that may be amulti-stage attack vector.

Reference is now made to FIG. 7, which is flowchart of an exemplaryprocess for containing a malicious attack within a deception environmentcreated dynamically in a protected network, according to someembodiments of the present invention. A process 700 may be executed by acampaign manager such as the campaign manager 216 to protect a protectednetwork such as the protected network 235 from a potential attackerattempting to access the protected network 235. The process 700 may becarried out by the campaign manager 216 in one or more of the systems200A, 200B, 200C, 200D, 200E and/or 200F collectively referred to hereinafter as the system 200 for brevity.

As shown at 702, the process 700 starts with the campaign manager 216detecting an attempt of the potential attacker to access the protectednetwork 235. The campaign manager 216 may detect the attempted access byidentifying that the potential attacker uses false access information,for example, a credential, a password, a password hint question and/orthe like of a certain user of the protected network 235.

The campaign manager 216 may identify the false access information thepotential attacker uses by comparing the false access information topredicted access information of the certain user the campaign manager216 predicts itself. By predicting (“guessing”) the access informationof the certain user, the campaign manager 216 may simulate methodsand/or techniques that may be used by the potential attacker to predictthe access information of the certain user. Often the certain user mayuse his (own) personal information to create his access information inorder to easily remember the access information. The potential attackermay therefore use public information available for the certain user, forexample, an email address, a phone number, a work place, a work placeaddress, a residence address, a parent name, a spouse name, a childname, a birth date and/or the like to predict (“guess”) the accessinformation of the certain user. The potential attacker may obtain thepublic information of the certain user from one or more publiclyaccessible networked resources, for example, an online news website, aworkplace website, an online government service, an online social mediaor network (e.g. Facebook, Google+, LinkedIn, etc.) and/or the like.

By simulating the process that may typically be applied by the potentialattacker, based on the public information of the certain user, thecampaign manager 216 may create a list of predicted access informationcandidates the certain user may typically create for accessing one ormore privileged resources on the protected network 235, for example, aservice, an account, a network, a database, a file and/or the like. Thecampaign manager 216 may be configured to apply one or more privacylaws, for example, according to a type of information, a geographicallocation of the certain user and/or the like when collecting the publicinformation of the certain user in order to avoid privacy breaching.

According to some embodiments of the present invention, when the certainuser creates (real) access information for accessing the privilegedresource(s), the campaign manager 216 evaluates robustness of thecreated access information by comparing the created access informationto the predicted access information candidates. The comparison appliedby the campaign manager 216 may not be a strict comparison in which thecreated access information matches the predicted access informationcandidate(s) exactly. The campaign manager 216 may apply the comparisonto evaluate similarity of the created access information to thepredicted access information candidate(s), for example, evaluate thelinguistic distance of the created access information compared to thepredicted access information candidate(s). The campaign manager 216 maydetermine that the created access information is insufficiently robust,i.e. the created access information is similar to the predicted accessinformation candidate(s) in case the linguistic distance (variation)between the created access information and the predicted accessinformation candidate(s) does not exceed a pre-defined number ofcharacters, for example, 2 characters.

In case the campaign manager 216 identifies that the created accessinformation is not sufficiently robust, i.e. matches one or more of thepredicted access information candidates, the campaign manager 216 maytake one or more actions, for example, reject the created accessinformation, request the certain user to change the access informationand/or the like. The campaign manager 216 may further offer the certainuser robust access information created by the campaign manager 216.

The list of predicted access information candidate(s) created by thecampaign manager 216 may be updated according to the techniques and/ormethods applied by the certain user to create his access information.Moreover, the campaign manager 216 verifies that the list of predictedaccess information candidate(s) does not include the actual accessinformation created and used by the certain user in the protectednetwork 235.

In some embodiments of the present invention, the campaign manager 216identifies the false access information to be false access informationprovided during one or more past attempts to accesses the protectednetwork 235. During the (past) attempts, the potential attacker mayapply, for example, a social engineering attack such as a phishingattack embedded, for example, in an email message to divert the certainuser to a fictive website emulating a real (valid website). In anotherexample, the past attack may include luring the certain user to registerto a fictive service created by the potential attacker. The objective ofthe (past) attempt(s) and/or attacks is to predict the accessinformation used by the certain user to access one or more real (valid)services, accounts, networks, privileged resources and/or the like.

The campaign manager 216 may intentionally (knowingly) “fall” in one ormore traps laid out for the certain user by the potential attacker tolure the certain user to reveal his access information. For example, incase the potential attacker applies a social engineering technique, forexample, a phishing attack, the campaign manager 216 may detect thephishing attack using one or more techniques as known in the art. Forexample, the campaign manager 216 may detect a suspected email messagethat may be identified to be a phishing attack. While typically, such aphishing attack may be blocked, reported and/or discarded, the campaignmanager 216 may intentionally (knowingly) follow the sequence laid outby the phishing attack and provide the potential attacker with the falseaccess information. In another example, in case the potential attackerlures the certain user to register to a fictive website and/or a fictiveservice, the campaign manager 216 may intentionally (knowingly) followthe registration sequence in the fictive website/service providing thefalse access information. The campaign manager 216 may be configured toinform the certain user, other users and/or systems of the accessattempt in case the (past) attempt(s) and/or attack(s). Optionally, the(past) attempt(s) and/or attack(s) are not reported to the certain userhence the certain user is unaware of the (past) attempt(s) and/orattack(s) made by the potential attacker.

The false access information provided by the campaign manager 216 may bevery similar to probable (predicted) access information that the certainuser may use in order to lead the potential attacker to believe thefalse access information is in fact real (genuine). Optionally, one ormore of the predicted access information candidates are used as thefalse access information provided to the potential attacker as part ofthe registration process.

Based on the predicted access information candidates and/or the falseaccess information provided to the potential attacker during the pastattempt(s) and/or attacks, the campaign manager 216 may classify theaccess information used during the access attempt to several accessinformation categories:

-   -   Correct access information.    -   Access information similar to the correct access information.    -   Predicted access information candidates from the list created by        the campaign manager 216.    -   False access information provided by the campaign manager 216        during the past attempts and/or attacks.    -   Other access information.

The campaign manager 216 may therefore detect the attempted access ofthe potential attacker into the protected network 235 by evaluating theaccess information used by the potential attacker against the accessinformation categories.

In case during the (current) access attempt the potential attacker usesthe false access information provided by the campaign manager 216 duringthe past attempt(s) and/or attack(s), the campaign manager 216 mayeasily identify the attempt to be done by the potential attacker.

Similarly, since the campaign manager 216 is aware of the actual accessinformation of the certain user, the campaign manager 216 may determineif wrong access information is entered by the certain user or by thepotential attacker during the access attempt. The campaign manager 216may also apply the linguistic distance comparison with the pre-definednumber of characters to determine if the wrong access information islikely to be entered by the certain user or by the potential attacker.For example, assuming a real password of the certain user is GadiDean1,selected based on names of founders of a certain company using theprotected network 235. While the certain user may be reasonably expectedto make mistakes such as, for example, typing a password GadiDean orGadiDean2 when logging into the privileged resource(s), the certain useris less likely to make mistakes such as, for example, typing a passwordShorashim1, selected based on a residence address of the certain user.Typically, assuming the residence address of the certain user ispublicly available, for example, on the Internet, the passwordShorashim1 is likely to be in the list of the predicted accessinformation candidates. The campaign manager 216 may therefore identifythe first incident (GadiDean or GadiDean2) to be an access attempt ofthe certain user, while the second incident (Shorashim1) may be anattempted access of the potential attacker.

The campaign manager 216 may be configured to inform the certain user,other users and/or systems of the access attempt in case the accessattempt is determined to be initiated by the potential attacker.Optionally, the access attempt is not reported to the certain user hencethe certain user is unaware of the access attempt by the potentialattacker.

As shown at 704, the campaign manager 216 creates and/or updates thedeception environment in real time in response to the detected attemptof the potential attacker to access the protected network 235. Based onthe detected false access information, the campaign manager 216 maycollect information on the certain user whose access information is usedby the potential attacker in order to generate a false identity of thecertain user, for example, an account, a working environment and/or thelike as part of the deception environment.

In order to convince the potential attacker that the deceptionenvironment is the real (valid) processing environment and/or partthereof, the campaign manager 216 may construct the false identityaccording to the public information of the certain user that maytypically be available to the potential attacker. By exposing the real(public) information of the certain user to the potential attacker, thefalse identity may seem consistent and legitimate to the potentialattacker. For example, the campaign manager 216 may create a falseaccount, for example, a Facebook account of the certain user thatincludes the same public information that is publicly available to otherFacebook users from the real (genuine) Facebook account of the certainuser. Specifically, the public information of the certain user ispublicly available with no need for specific access permission(s). Inanother example, the campaign manager 216 may create a fake companyaccount for the certain user in the deception environment in theprotected network 235. The fake company account may include informationspecific to the role and/or job title of certain user within thecompany, for example, a programmer, an accountant, an IT person and/orthe like.

Optionally, one or more generic fake identity templates may be used tocreate the false identity of the certain user. Each of the generic fakeidentity templates may be configured to include information typical, forexample, to a role in the company, a job title holder in the companyand/or the like. The campaign manager 216 may further combine one ormore of the generic fake identity templates with the public informationof the certain user to create the false identify associated with thecertain user.

Optionally, the campaign manager 216 uses one or more of the genericfake identity templates in case the access attempt is not identified tobe associated with any user such as the certain user of the protectednetwork 235.

Optionally, the campaign manager 216 adds additional information to thefalse identity to make it more attractive for the potential attacker tohack.

The campaign manager 216 may create the fake identity to be consistentwith information of the certain user as used during one or more of thepast attempts and/or attacks. For example, assuming that based on thepublic information of the certain user the potential attacker identifiedthat the certain user is attending dance classes and launched a pastphishing attack in which a phishing e-mail message targeting dancers,for example a dancing event. During the current access attempt of thepotential attacker, the campaign manager 216 may include in the fakeidentity, for example, information of dancing habits of the certainuser. This may make the false identity more consistent and legitimatelooking to the potential attacker. Moreover, assuming that the pastphishing attack initiated by the potential attacker included informationthat is not publicly available for the certain user and/or was illegallyobtained by the potential attacker, the campaign manager 216 may includerelated information on the certain user that is not publicly available.For example, assuming the phishing attack was directed towards huntinginterests of the certain user, the campaign manager 216 may includefalse hunting information of the certain user in the fake identity.

The deception environment created by the campaign manager 216 mayinclude one or more decoy endpoints such as the decoy endpoint discussedbefore (physical endpoints and/or virtual endpoints) that may executedecoy OSs such as the decoy OSs 210 and/or deception application such asthe deception application 212. The campaign manager 216 may furthercreate the deception environment to include a decoy network comprising aplurality of decoy endpoint networked together to further make thedeception environment seem convincing to the potential attacker that islead to believe the deception environment is a real (valid) processingenvironment.

The campaign manager 216 creates and/or updates one or more of the decoyendpoints and/or the decoy network to comply with the fake identitycreated for the certain user in order to verify consistency of thedeception environment as viewed by the potential attacker. For example,assuming the certain user is a programmer, the campaign manager 216 maycreate the decoy endpoint to include typical programming environmentconsistent with the programming area of the certain user, for example,relevant programming tool(s), build tool(s) and/or programs that areappropriate for the programming area of the certain user and/or thecompany that he works for. In another example, assuming the certain userworks for company X, the campaign manager 216 may create the decoynetwork for the company X to include publicly available known data aboutthe company X. The campaign manager 216 may use this publicly availabledata to create a believable deception environment and deception story.The created decoy network may include common network services that existin every network, for example, file shares, exchange server, and/or thelike.

In order to make the deception environment seem real to the potentialattacker, the campaign manager 216 may simulate real activity in thefake identity, the decoy endpoint(s) and/or the decoy network. Forexample, the campaign manager 216 may create and/or maintain (updatedynamically) a plurality of usage indications, for example, a browsinghistory, a file edit history and/or the like as may be typically done byreal users in the real (valid) processing environment of the protectednetwork 235. The real activity simulation may be done automatically bythe campaign manager 216, manually by one or more users of the protectednetwork 235 and/or in combination of the automatic and manualsimulations. Optionally, when simulated manually, updating one or moreof the usage indications may be done automatically to make the usageindication appear as if dynamically changing over time.

The campaign manager 216 may further use the real processing environmentof the protected network 235 and/or part thereof as the deceptionenvironment and or part of. Doing so may be beneficial assuming usefulelements of the real processing environment, for example, a file with apassword, a file with an associated credentials and/or the like may beproperly detected to serve, for example, the fake identity, the fakeaccount and/or the like. The campaign manager 216 may use the realprocessing environment in which one or more of the detected payloadsmodified to trap the potential attacker while maintaining the rest ofthe processing environment unaltered. The campaign manager 216 may needto exercise caution when employing such approach since the potentialattacker, in particular, a skilled attacker, may take advantage of oneor more aspects of the real processing environment, for example, theidentity, the account and/or the like that are left unchanged.

As shown at 706, the campaign manager 216 grants the potential attackeraccess into the deception environment. When accessing the deceptionenvironment, the potential attacker may be convinced that he is actuallyentering the real (valid) processing environment of the protectednetwork 235.

As shown at 708, the campaign manager 216 analyzes the attack vectorapplied by the potential attacker in order to identify one or moreintentions of the potential attacker.

As shown at 710, based on the analysis of the attack vector applied bythe potential attacker, the campaign manager 216 may take one or moreactions in response to the attack vector action(s). For example, thecampaign manager 216 may alert one or more authorized persons and/orsystems, for example, a user such as the user 260, an Informationtechnology (IT) person, a security system, security software and/or thelike.

The main purpose of the actions taken by the campaign manager 216 is todetonate the attack vector. Detonating the attack means allowing and/orencouraging the potential attacker to operate, for example, apply theattack vector, in the deception environment regarded as a safe “sandbox”to make the potential attacker detectable by the campaign manager 216.This may be achieved by dynamically adjusting the deception environmentand/or by responding to the action(s) applied through the attack vectorin an authentic manner in order to convince the potential attacker thathe actually entered the real (valid) processing environment of theprotected network 235.

The campaign manager 216 may update the deception environment asdescribed in step 704 to adapt according to the action(s) made by thepotential attacker. Since the attack vector may be a multi-stage attackvector comprising of a plurality of actions, the campaign manager 216may continuously respond to the attack vector action(s) by constantlyupdating the deception environment, for example, adjusting the fakeidentity, adding/removing and/or adjusting one or more of the decoyendpoints and/or the like. For example, assuming the campaign manager216 identifies the potential attacker tries to access another endpointon the decoy network, the campaign manager 216 may create in real timeone or more additional decoy endpoints that may be added to the decoynetwork. In another example, assuming the potential attacker is amalware, the campaign manager 216 may intentionally (knowingly) installthe malware in the deception environment and initiate actions expectedby the malware. For example, in case the malware is a word file, thecampaign manager 216 may open the word in the deception environment, forexample, on the decoy endpoint using the typical tools for opening aword file. In another example, the malware is a suspected browser tool,the campaign manager may download the malware into the deceptionenvironment and launch the malware on the decoy endpoint for browsingthe network(s). The campaign manager 216 may follow additionalinstructions initiated by the malware. However, the execution of themalware is contained within the deception environment.

By detonating the attack vector, the attack vector and hence thepotential attacker may be detected by the campaign manager 216. This mayallow the campaign manager 216 to further analyze the attack vector asdone in step 708 and take additional actions in response to the attackvector based on the analysis.

The campaign manager 216 may be configured to continuously update thedeception environment for as long as defined, for example, a day, aweek, a month, a year and/or for an unlimited period of time. This mayallow the campaign manager 216 to identify one or more potentialattackers that return to attempt to gain access into the protectednetwork 235. The campaign manager 216 may identify the returningattacker(s) by analyzing one or more Indicators of Compromise (IOC), forexample, an attribute, an operational parameter and/or a behavioralcharacteristic of the returning attacker(s). For example, an originatingIP of the attacker, a common attack tool used by the attacker, a commonfilename used by the attacker and/or the like may be detected toidentify the potential attacker as the returning attacker. The campaignmanager 216 may take additional measures on detection of the returningpotential attacker, for example, restore the deception environment to beadapted according to characteristics of the returning potential attackerand/or the attack vector(s) used by the returning potential attackerduring previous access attempts into the protected network 235. Forexample, assuming the campaign manager 216 identified during a pastattempted access of the potential attacker that the attack vector of thepotential attacker was directed towards obtaining technology aspects ofone or more products of the company the certain user works for. On thecurrent attempted access of the returning potential attacker, thecampaign manager 216 may therefore create and/or update the deceptionenvironment to include, for example, fabricated information leading toan account and/or a decoy endpoint of a technology research leader thatmay be attractive to the returning potential attacker. By adapting thedeception environment according to the characteristic(s) of thereturning potential attacker, the returning potential attacker may befurther convinced that the deception environment is the real (valid)processing environment of the protected network 235. For example, incase during a first access attempt, the returning potential attackerlooked to access a financial restricted file directory and the campaignmanager 216 adjusted the deception environment to include a decoyendpoint designated with a financial oriented title, for example, adesktop of a secretary of the Chief Financial Officer (CFO). In case thecampaign manager 216 detects the same potential attacker returning totry another access attempt, the campaign manager 216 may extend thedeception environment to include a decoy endpoint designated, forexample, “CFO Laptop” to attract the returning potential attacker toattempt to access the decoy endpoint.

Optionally, based on the analysis of the attack vector applied by thepotential attacker, the campaign manager 216 identifies one or moreactivity pattern of the potential attacker. Using the activitypattern(s), the campaign manager 216 may gather useful forensic data onthe operations of the potential attacker and may classify the potentialattacker in order to estimate a course of action and/or the intention(s)of the potential attacker. The campaign manager 216 may than furtheradapt the deception environment to tackle the estimated course of actionand/or intention(s) of the potential attacker. This may allow learningthe attack vector and applying protection means to real user accounts toprotect them against future attack vector(s) and/or part thereof asdetected by the campaign manager 216 applying the process 700. This mayfurther allow the campaign manager 216 to characterize the potentialattacker into one or more attacker types and adapt the deceptionenvironment according to typical characteristics of the attacker type.For example, assuming the campaign manager 216 identifies the potentialattacker attack vector is directed towards obtaining financial records,the campaign manager 216 may characterize the potential attacker as afinancial information seeking attacker. The campaign manager 216 maythen update the deception environment to include, for example,fabricated information leading to an account and/or a decoy endpoint ofa financial person that may be attractive to the potential attacker.

The descriptions of the various embodiments of the present inventionhave been presented for purposes of illustration, but are not intendedto be exhaustive or limited to the embodiments disclosed. Manymodifications and variations will be apparent to those of ordinary skillin the art without departing from the scope and spirit of the describedembodiments. The terminology used herein was chosen to best explain theprinciples of the embodiments, the practical application or technicalimprovement over technologies found in the marketplace, or to enableothers of ordinary skill in the art to understand the embodimentsdisclosed herein.

It is expected that during the life of a patent maturing from thisapplication many relevant systems, methods and computer programs will bedeveloped and the scope of the term endpoint and virtual machine isintended to include all such new technologies a priori.

As used herein the term “about” refers to ±10%.

The terms “comprises”, “comprising”, “includes”, “including”, “having”and their conjugates mean “including but not limited to”. This termencompasses the terms “consisting of” and “consisting essentially of”.

The phrase “consisting essentially of” means that the composition ormethod may include additional ingredients and/or steps, but only if theadditional ingredients and/or steps do not materially alter the basicand novel characteristics of the claimed composition or method.

As used herein, the singular form “a”, “an” and “the” include pluralreferences unless the context clearly dictates otherwise. For example,the term “a compound” or “at least one compound” may include a pluralityof compounds, including mixtures thereof.

The word “exemplary” is used herein to mean “serving as an example,instance or illustration”. Any embodiment described as “exemplary” isnot necessarily to be construed as preferred or advantageous over otherembodiments and/or to exclude the incorporation of features from otherembodiments.

The word “optionally” is used herein to mean “is provided in someembodiments and not provided in other embodiments”. Any particularembodiment of the invention may include a plurality of “optional”features unless such features conflict.

It is appreciated that certain features of the invention, which are, forclarity, described in the context of separate embodiments, may also beprovided in combination in a single embodiment. Conversely, variousfeatures of the invention, which are, for brevity, described in thecontext of a single embodiment, may also be provided separately or inany suitable subcombination or as suitable in any other describedembodiment of the invention. Certain features described in the contextof various embodiments are not to be considered essential features ofthose embodiments, unless the embodiment is inoperative without thoseelements.

Although the invention has been described in conjunction with specificembodiments thereof, it is evident that many alternatives, modificationsand variations will be apparent to those skilled in the art.Accordingly, it is intended to embrace all such alternatives,modifications and variations that fall within the spirit and broad scopeof the appended claims.

All publications, patents and patent applications mentioned in thisspecification are herein incorporated in their entirety by referenceinto the specification, to the same extent as if each individualpublication, patent or patent application was specifically andindividually indicated to be incorporated herein by reference. Inaddition, citation or identification of any reference in thisapplication shall not be construed as an admission that such referenceis available as prior art to the present invention. To the extent thatsection headings are used, they should not be construed as necessarilylimiting.

What is claimed is:
 1. A computer implemented method of detectingunauthorized access to a protected network by monitoring a dynamicallyupdated deception environment, comprising: launching, on at least onedecoy endpoint, at least one decoy operating system (OS) managing atleast one of a plurality of deception applications mapping a pluralityof applications executed in a protected network; updating dynamically ausage indication for a plurality of deception data objects deployed inthe protected network to emulate usage of said plurality of deceptiondata objects for accessing said at least one deception application, saidplurality of deception data objects are configured to trigger aninteraction with said at least one deception application when used;detecting usage of data contained in at least one of said plurality ofdeception data objects by monitoring said interaction; and identifyingat least one potential unauthorized operation based on analysis of saiddetection.
 2. The computer implemented method of claim 1, wherein saiddecoy endpoint is a member selected from a group consisting of: aphysical device comprising at least one processor and a virtual machine.3. The computer implemented method of claim 2, wherein said virtualmachine is hosted by at least one member selected from a groupconsisting of: a local endpoint, a cloud service and a vendor service.4. The computer implemented method of claim 1, wherein each of saidplurality of deception data objects emulates a valid data object usedfor interacting with said at least one application.
 5. The computerimplemented method of claim 1, wherein each of said plurality ofdeception data objects is a member selected from a group consisting of:a hashed credentials object, a browser cocky, a registry key, a ServerMessage Block (SMB) mapped share, a Mounted Network Storage element, aconfiguration file for remote desktop authentication credentials, asource code file with embedded database authentication credentials and aconfiguration file to a source-code version control system.
 6. Thecomputer implemented method of claim 1, wherein said usage indicationcomprises impersonating that said plurality of deception data objectsare used to interact with said at least one deception application. 7.The computer implemented method of claim 1, wherein said at least onepotential unauthorized operation is initiated by a member selected froma group consisting of: a user, a process, an automated tool and amachine.
 8. The computer implemented method of claim 1, wherein each ofsaid plurality of applications is a member selected from a groupconsisting of: an application, a tool, a local service and a remoteservice.
 9. The computer implemented method of claim 1, wherein each ofsaid plurality of deception applications is selected by at least one of:a user and an automated tool.
 10. The computer implemented method ofclaim 1, wherein said monitoring comprises at least one of: monitoringnetwork activity of at least one of said plurality of deceptionapplications, monitoring interaction of said at least one deceptionapplication with said at least one decoy operating system, monitoring atleast one log record created by said at least one deception application,and monitoring interaction of at least one of said plurality ofdeception applications with at least one of a plurality of hardwarecomponents in said protected network.
 11. The computer implementedmethod of claim 1, further comprising dividing at least one of: said atleast one decoy operating system, said plurality of deceptionapplications and said plurality of deception data objects to a pluralityof groups according to at least one characteristic of said protectednetwork.
 12. The computer implemented method of claim 1, furthercomprising providing a plurality of templates for creating at least oneof: said at least one decoy operating system, said plurality ofdeception application and said plurality of deception data objects. 13.The computer implemented method of claim 12, wherein each of saidplurality of templates further comprises a definition of a relationshipbetween at least two of: said at least one decoy operating system, saidplurality of deception application and said plurality of deception dataobjects.
 14. The computer implemented method of claim 12, furthercomprising at least one of said plurality of templates is adjusted by atleast one user adapting said at least one template according to at leastone characteristic of said protected network.
 15. The computerimplemented method of claim 1, further comprising generating an alert atdetection of said at least one potential unauthorized operation.
 16. Thecomputer implemented method of claim 1, further comprising generating analert at detection of a combination of a plurality of potentialunauthorized operations to detect a complex sequence of saidinteraction.
 17. The computer implemented method of claim 1, whereinsaid analysis further comprising preventing false positive analysis toavoid identifying at least one legitimate operation as said at least onepotential unauthorized operation.
 18. The computer implemented method ofclaim 1, further comprising analyzing said at least one potentialunauthorized operation to identify an activity pattern.
 19. The computerimplemented method of claim 18, further comprising applying a learningprocess on said activity pattern to classify said activity pattern inorder to improve detection and classification of at least one futurepotential unauthorized operation.
 20. A system for detectingunauthorized access to a protected network by monitoring a dynamicallyupdated deception environment, comprising: a program store storing acode; and at least one processor on at least one decoy endpoint coupledto said program store for executing said stored code, said codecomprising: code instructions to launch at least one decoy operatingsystem (OS) managing at least one of a plurality of deceptionapplications mapping a plurality of applications executed in a protectednetwork; code instructions to update dynamically a usage indication fora plurality of deception data objects deployed in said protected networkto emulate usage of said plurality of deception data objects foraccessing said at least one deception application, said plurality ofdeception data objects are configured to trigger an interaction withsaid at least one deception application when used; code instructions todetect usage of data contained in at least one of said plurality ofdeception data objects by monitoring said interaction; and codeinstructions to identify at least one potential unauthorized operationbased on an analysis of said detection.
 21. A computer implementedmethod of containing a malicious attack within a deception environmentby directing said malicious attack to a dynamically created deceptionenvironment, comprising: detecting an attempt of a potential attacker toaccess a protected network by identifying false access information usedby said potential attacker, wherein said false access information isassociated with a certain user of said protected network; creatingdynamically a deception environment associated with said certain userwithin said protected network in response to said attempt, wherein saiddeception environment comprises at least one member selected from agroup consisting of: a false account, a decoy endpoint and a decoynetwork comprising a plurality of decoy endpoints; in response to saidattempt, granting access to said potential attacker into said deceptionenvironment; and monitoring an attack vector applied by said potentialattacker using said false access information in said deceptionenvironment.
 22. The computer implemented method of claim 21, whereinsaid decoy endpoint is a member selected from a group consisting of: alocal endpoint comprising at least one processor and a virtual machine,wherein said virtual machine is hosted by at least one of: a localendpoint, a cloud service and a vendor service.
 23. The computerimplemented method of claim 21, wherein said potential attacker is amember selected from a group consisting of: a user, a process, anautomated tool and a machine.
 24. The computer implemented method ofclaim 21, wherein said deception environment is created based on publicinformation of said certain user.
 25. The computer implemented method ofclaim 24, wherein said public information is available in at least onenetworked processing node accessible over at least one network.
 26. Thecomputer implemented method of claim 21, wherein said false accessinformation comprises credentials of said certain user.
 27. The computerimplemented method of claim 21, further comprising said attempt is notreported to said certain user.
 28. The computer implemented method ofclaim 21, wherein said false access information was provided to saidpotential attacker during a past attempt of said potential attacker toobtain a real version of said false access information of said certainuser.
 29. The computer implemented method of claim 28, wherein said pastattempt is a phishing attack to obtain said real version of said falseaccess information of said certain user.
 30. The computer implementedmethod of claim 28, wherein said past attempt is based on attractingsaid certain user to register to a fictive service created by saidpotential attacker to obtain said real version of said false accessinformation of said certain user.
 31. The computer implemented method ofclaim 28, further comprising said past attempt is not reported to saidcertain user.
 32. The computer implemented method of claim 21, whereinsaid attempt is detected by comparing a password included in said falseaccess information to at least one predicted password created based onan analysis of public information of said certain user.
 33. The computerimplemented method of claim 32, further comprising evaluating robustnessof a real password created by said certain user by comparing said realpassword to said at least one predicted password and alerting saidcertain user in case said real password is insufficiently robust,wherein said robustness is determined sufficient in case a variationbetween said at least one predicted password and said real passwordexceeds a pre-defined number of characters.
 34. The computer implementedmethod of claim 33, further comprising requesting said certain user tochange said real password in case said real password is insufficientlyrobust.
 35. The computer implemented method of claim 21, wherein saidattack vector comprises at least one action initiated by said potentialattacker.
 36. The computer implemented method of claim 35, wherein saidattack vector is a multi-stage attack vector comprising a plurality ofactions initiated by said potential attacker, at least two of saidplurality of actions are executed in at least one mode selected from: aseries execution, a parallel execution.
 37. The computer implementedmethod of claim 21, wherein said deception environment is dynamicallyupdated based on analysis of said attack vector in order to deceive saidpotential attacker to presume said deception environment is a realprocessing environment, said update includes updating at least one of:an information item of said certain user, a structure of said deceptionenvironment and a deployment of said deception environment.
 38. Thecomputer implemented method of claim 21, further comprising extendingsaid deception environment dynamically based on analysis of said attackvector in order to contain said attack vector.
 39. A system forcontaining a malicious attack within a deception environment bydirecting said malicious attack to a dynamically created deceptionenvironment, comprising: a program store storing a code; and at leastone processor on at least one decoy endpoint in a deception environmentcoupled to said program store for executing said stored code, said codecomprising: code instructions to detect an attempt of a potentialattacker to access a protected network by identifying false accessinformation used by said potential attacker, wherein said false accessinformation is associated with a certain user of said protected network;code instructions to create dynamically a deception environmentassociated with said certain user within said protected network inresponse to said attempted access, wherein said deception environmentcomprises at least one member selected from a group consisting of: afalse account, a decoy endpoint and a decoy network comprising aplurality of decoy endpoints; code instructions to grant access to saidpotential attacker into said deception environment; and codeinstructions to monitor an attack vector applied by said potentialattacker using said false access information in said deceptionenvironment.